How to Synchronize Azure Ad Users for Authorization

Question

Microsoft has plenty of documentation on how to handle authentication (authN) with Microsoft identity platform but only little information about proper authorization (authZ). As of right now, I have a single-page application (SPA), that uses MSAL to login users. We also have a backend that validates access tokens sent from the frontend. With this in place, authN works as expected.

For authZ, I have User, Permission and UserPermission tables in the backend which populate users with permissions. I have a custom middleware that queries the database for user and permissions and attaches the permissions as claims to the ClaimsIdentity to the ClaimsPrincipal.

What is the best way to get the Azure AD users into the backend database?

In the frontend I need to display a list of all users which can then be populated with permissions. However, I don't know the best way to "sync" these users such that they can be displayed and populated with data in my backend database.

Current architecture:

Note: I am aware that the Microsoft Identity Platform provides an RBAC mechanism which adds a role claim to the access token. However, my authorization is far more complex such that I cannot use it and secondly authZ claims should not be part of a JWT.

Answer 1

Azure AD supports SCIM 2.0. It provides support to sync users and groups in a standarized way to any backend, which implement the required SCIM endpoints.

https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups

https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad

There are plenty of paid and open-source packages for .NET implementing the backend part: https://www.nuget.org/packages?q=Scim&frameworks=&tfms=&packagetype=&prerel=true&sortby=relevance