Reputation: 8977
.NET Core Azure AD App Registration -- Allow access via groups
Background
I have a .NET Core 3.1 web site deployed in a docker via Azure Web Apps for Containers.
The app is registered with my organization's Azure AD for only our organization, and users must be added to be granted access.
The site is working correctly for some time now with individual-based access. The app uses default access. If someone has access to the site at all, they have access to everything within the site.
Our Azure AD tenant is a Premium P2 Tenant.
Goal
I want to use a security group for access to the application rather than adding individuals to the app in Azure AD.
The problem
- I head to the app registration within my organization's Azure AD
- I select the
Users and Groupsmenu - I add the group that contains the individuals I wish to authorize, with
Default Accessrole (the only role available) - I remove the individuals (all are members of the group, which is our preferred access management)
Expected behavior
The users are still allowed access to the site, as the group is authorized and they are members of the group.
Actual behavior
The users are denied access unless I also add them as individuals.
In the logs, I see the following:
Message contains error: 'access_denied', error_description: 'AADSTS50105: The signed in user '{EmailHidden}' is not assigned to a role for the application '
{Redacted GUID}'(Redacted App Name).
However, in this case, all the individuals are a part of the group that is registered, and the group has the same Default Access role that the individuals had been granted.
Things I have tried:
- I have updated the application's manifest to set
groupMembershipClaimstoSecurityGroupper this post by K. Scott Allen (RIP)
Question
How can I move from individual user access in an Azure AD enterprise application to Group-based access?
Update: Auth code
Per request, providing the code I use to setup authentication.
IIRC, this is just the out of the box .NET Core setup for Azure. In Startup.cs
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options =>
{
Configuration.Bind("AzureAd", options);
});
The AzureAd config section looks like:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "(Redacted)",
"TenantId": "(Redacted Guid)",
"ClientId": "(Redacted Guid)",
"CallbackPath": "/signin-oidc"
}
Upvotes: 1
Views: 342
Answers (1)
Reputation: 13704
Are users direct members of the group that is assigned to the app?
They need to be, as AAD apps don't support nested groups as per https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps
Important
You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan. Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.
Upvotes: 1
Related Questions
- How do I authorize based on nested Azure AD groups?
- Restrict App Registration access to a specific group
- Application-specific permissions with Azure AD RBAC
- How to do Authorization based on Azure AD groups?
- How to do authorization based on groups in .net core app?
- Not able to make an Azure app as member of an Azure Group
- Users and groups support for Azure AD App Registration
- Application access permission via App Registrations, Users and Groups, Azure Active Directory
- RBAC access in Azure Web App
- Azure AD - Assign Users and Groups to App