Cannot Authenticate with Azure AD Policy: Authorization failed with Forbidden

Question

We are migrating from Windows Authentication to Azure AD.

We have a policy like this:

    services.AddAuthorization(options =>
    {
        options.AddPolicy("Test", policy => policy.RequireClaim(ClaimTypes.Role, "Test"));
    });

    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => this.Configuration.Bind("AzureAd", options))
            .AddCookie();

My controller is decorated with

[Authorize(Policy = "Test")]

here is the manifest json:

    "appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "Security group for Test.",
        "displayName": "Test",
        "id": "5500dd65-c64b-400e-98dd-8e255563aefe",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "Test"
    }
],

We assigned a valid group to this app role from azure portal.

Working perfect on my local environment, but after deploy it to dev environment, we got Forbidden back for authorization.

checked the logs, we found something like below:

AuthenticationScheme: AzureADCookie was not authenticated.
AuthenticationScheme: AzureADCookie was forbidden.
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.

For all who read this far - thanks in advance!

Answer 1

Finally, I found the issue: nothing wrong with the code...

We are currently using Windows Authentication.

After migrating from Windows Authentication to Azure AD Authentication, and published the code changes to our Dev environment, we need to change the IIS configuration on Dev server: to:

1. Disabled Windows Authentication
2. Enable Anonymous Authentication