Azure Mobile App Service - Cordova, with C# backend, using Azure AD. How to check roles?

Question

I have got the Azure authentication working and can limit access to controllers using [Authorize] attributes like in the documentation. So far I love it.

I am going to need to have some users with elevated priveleges, however, and we would normally use an AD Security Group. "Great!", I thought, "I'll just use the [Authorize(Roles = "AD Security Group"]" and I can get back into developing the app!

Well, I was wrong. Two days later and I have just gone around in circles. I have arrived at the conclusion that the roles claim is not being provided by AAD, so the ClaimsPrincipal does not contain roles, and so can't provide the informatin to the authorize attribute.

I see a lot of older information out there about this (Azure Mobile App is pretty new) and it's muddied the waters quite a bit. Is the current solution to this to query the AD Graph API to get the roles info?

Or, perhaps, write a custom attribute to call the /.auth/me endpoint to get the role information?

I am so confused! Would someone please point me in the right direction?

Answer 1

You need to do some work to get the AAD groups into the claims. I wrote a blog about this. Although it implements authorization in Node, the configuration on the AAD side is identical.

In terms of the getting it into the Authorize Roles, the Azure Mobile Apps Server SDK does not do this presently for you. (I think it's a good idea, so feel free to file an issue on our GitHub repository)

If you are writing the attribute yourself, I'd use the GetAppServiceIdentityAsync<>() method to get the claims - don't query /.auth/me yourself.