Programatically get users group and role from Azure AD

Question

I am new to azure AD.

I have a third party API which gives me a userId. I have written a .NET Core API which should take this userID and get the roles and groups of that specific user.

I have read about the microsoft graph API. Not sure if this is useful in my scenario.

Also is there any other way to access the roles and groups of a AD user programatically.

Answer 1

Which API to use to get groups and role information

Firstly, Microsoft Graph API is your best bet to get the information you're looking for.

Which exact API works best for you depends on your scenario (a. do you need top level direct membership or transitive check? b. do you want only security groups or even O365 groups?), so you're the best judge.

I'll list down 3 of them here and you should get some ideas to pick.

• memberOf -

  Gets both groups and directory roles that user is a direct member of.

  NOTE: only direct membership matters for this one, check is NOT transitive (i.e. User has to be a direct member of the group for that group to be returned. If user is member of a group1, but that group1 is member of group2, then group2 will NOT be returned. This behavior might be ok for some scenarios but not for others)

  GET /users/{id | userPrincipalName}/memberOf
  

• getMemberGroups

  POST /users/{id | userPrincipalName}/getMemberGroups
  

  Returns all the groups that the user is a member of. Check for this one is Transitive, so you're assured that all groups will be returned. Upto 2046 returned as part of 1 request. It also works with O365 groups and you can filter down to SecurityEnabled groups using a parameter

• getMemberObjects

  Returns all of the groups, directory roles and administrative units that the user is a member of. The check is again transitive.

Implementation and Code Sample.. How to get token, call API etc.

• Acquiring Token for Authentication

  You should make use of MSAL or ADAL libraries depending on which Azure AD endpoint you're using MSAL for v2 and ADAL for v1. Using these libraries is not mandatory but recommended because they will follow best practices and do the heavy lifting for you.

• Interacting with Microsoft Graph API Endpoints

  Since you're writing in .NET, you can make use of Microsoft Graph Client Library for .NET (SDK). Again, it's not mandatory to use the client library but it will make your code more declarative and will be convenient. You can always work with HttpClient and hit the REST endpoints directly if you want.

• Code Sample

  Microsoft Graph Connect Sample for ASP.NET Core 2.1

  Important parts.. Look at the GraphService.cs file for methods that get user information, e.g.

    // Load user's profile in formatted JSON.
      public static async Task<string> GetUserJson(GraphServiceClient graphClient, string email, HttpContext httpContext)
          {
              if (email == null) return JsonConvert.SerializeObject(new { Message = "Email address cannot be null." }, Formatting.Indented);
  
              try
              {
                  // Load user profile.
                  var user = await graphClient.Users[email].Request().GetAsync();
                  return JsonConvert.SerializeObject(user, Formatting.Indented);
              }
  

  NOTE: The sample makes use of delegated permissions. You may need to make use of application permissions directly or On-behalf of flow (if you want to do it under a user's context) since you mention yours is an API being called. Also, this is just one of the samples, that you should look at to understand how to work with SDK, but there are many available readily once you start looking further into Microsoft Graph API and Client library documentation. I'll update the answer if I find a sample closer to your exact scenario.