[英]how to determine which group a user is a member of in azure active directory
I'm using azure active directory to control user access to my web app. 我正在使用azure活动目录来控制用户对我的Web应用程序的访问。 This all works well, but I cant figure out how to identify which group the currently logged in user is a member of. 这一切都很好,但是我不知道如何确定当前登录用户所属的组。 In ClaimsIdentity I can see both groups setup in azure, but I cant determine which one of these groups the user is a member of (they will only belong to 1 of 2 groups). 在ClaimsIdentity中,我可以看到天蓝色的两个组的设置,但是我无法确定用户是其中一个组的成员(它们将仅属于2个组中的1个)。 I have this code and also a key in my web.config that matches the key of my admin user, but both of my groups are in the claimsidentity object. 我有此代码,也有一个与我的管理员用户的密钥相匹配的web.config中的密钥,但是我的两个组都在Claimsidentity对象中。 So how can I determine if this user is in my admin group ? 那么,如何确定该用户是否在我的管理员组中?
var groups = identity.Claims.Where(x => x.Type.Equals("groups")).ToList();
//this is a GUID that should match the group objectID for Adminusers in the azure active directory
string admin = Helpers.Settings.AdminUser;
if (groups.Any(c => c.Value.Contains(admin)))
{
return true;
}
else
{
return false;
}
I must be going about this the wrong way, anyone help me out ? 我一定会走错路,有人帮我吗?
It seems you have enabled Group Claims to check a user's membership in a specific security group (or groups). 看来您已启用“ 组声明”来检查用户在特定安全组中的成员身份。
The group claims will return a collection of the Groups and DirectoryRoles that current user is a member of . 群组声明将返回当前用户是的成员的Groups和DirectoryRoles的集合。 For example , if user is a global administrator in your AAD , and belongs to one group . 例如,如果用户是您的AAD中的全局管理员,并且属于一个组。 With group claims you will get two records(1 groups and 1 directory role) . 使用组声明,您将获得两个记录(1个组和1个目录角色)。
If you to want to get all of the groups(no DirectoryRoles) that the user has direct or transitive membership in , we could call the getMemberGroups function using Azure AD Graph API . 如果要获取用户具有直接或传递成员资格的所有组(没有DirectoryRoles),则可以使用Azure AD Graph API调用getMemberGroups函数。
In your scenario , to check whether user is in your admin group , you can check whether object ID of admin group exists in groups
claim . 在您的方案中,要检查用户是否在管理组中,可以检查groups
声明中是否存在管理组的对象ID。 If exists ,the user belongs to admin group . 如果存在,则该用户属于管理员组。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.