Reputation: 2229
azure ad difference between group based and role based authorization
Hi recently I started working on azure ad. I have started working on authorization for my .net core apis. I have an below understanding on azure ad roles and groups.
Azure AD groups. Groups nothing but grouping of users belongs to same business. One user can belongs to many groups. Whenever new user is added, we can associate user to different groups.
Azure AD groups based authorization for .net core we will have apis on our .net core application. so bringing together above azure ad groups and my .net core application, we can have plociy based authorization. For example, few apis can be accessed by certain groups. For example,
services.AddAuthorization(options =>
{
options.AddPolicy("GroupsCheck", policy =>
{
policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new GroupsCheckRequirement("group id"));
});
});
So whenever I have [Authorize(Policy = "GroupsCheck")] on top of controller, only if user belongs to correspond group id then he will have access to those apis.
Azure AD roles Azure ad roles can be assigned to above said groups. Thee roles are used to give access to Azure ad services. For example one role can have access to virtual machines and other roles can have access to networking things. So whenever we apply role to groups corresponding users in that groups will get said permissions.
this is my understanding. Please correct me If I have wrong understanding.
Now my confusion starts here.
Groups does two things main. First one is we can do authorization in our .net app and next is we can groups together users using groups and we can assign roles. But something confusing me is role based authorization in .net core app. RBAC in azure is fine grained access to different users/groups. What would be the relation between RBAC in my .net core app and azure.
Admin consent
The other thing is for example I have azure ad user role and I have created .net core app and registered in azure ad. Now my app needs to access microsoft graph. So to give microsoft graph access to my app tenant admin has to give consent. For example to read all the groups in tenants app should call microsoft graph. This is my understanding on admin consent.
Can someone help me to understand these things correctly? Any help would be appreciated. Thanks
Upvotes: 4
Views: 6310
Answers (1)
Reputation: 1575
What would be the relation between RBAC in my .net core app and azure?
Azure AD roles and application roles are not linked together. There are ways to do so (see here), but these are completely separate. Azure AD roles are more for controlling access to Azure resources and don't really apply to application specific roles (i.e. in a school application, students can't access grades of the whole class).
So to give Microsoft graph access to my app tenant admin has to give consent.
This is true. Microsoft Graph basically provides an API to get access everything going on inside the directory. Naturally, as there is sensitive info, permission is required by an admin.
Upvotes: 0
Related Questions
- Azure AD Group Membership vs Direct Members
- Difference between groups/delta and /groups
- Difference between Scope, Role & Group in Azure AD MSAL
- Azure service principal - API permissions vs. AD Role
- Active Directory groups and roles
- What is the difference between Azure AD Graph API and Microsoft Graph API
- Azure AD-Linking Roles to Groups
- Azure AD group based login and MS graph API
- Azure AD Graph vs Microsoft Graph App Authorization Tokens
- Azure Active Directory Graph: what is the diff among AppRoles, AppRoleAssignments, Oauth2Permissions, DirectoryRoles?