如何确定用户是Azure Active Directory中成员的组

Question

I'm using azure active directory to control user access to my web app. This all works well, but I cant figure out how to identify which group the currently logged in user is a member of. In ClaimsIdentity I can see both groups setup in azure, but I cant determine which one of these groups the user is a member of (they will only belong to 1 of 2 groups). I have this code and also a key in my web.config that matches the key of my admin user, but both of my groups are in the claimsidentity object. So how can I determine if this user is in my admin group ?

var groups = identity.Claims.Where(x => x.Type.Equals("groups")).ToList();
        //this is a GUID that should match the group objectID for Adminusers in the azure active directory
        string admin = Helpers.Settings.AdminUser;
        if (groups.Any(c => c.Value.Contains(admin)))
        {
            return true;
        }
        else
        {
            return false;
        }

I must be going about this the wrong way, anyone help me out ?

Answer 1

It seems you have enabled Group Claims to check a user's membership in a specific security group (or groups).

The group claims will return a collection of the Groups and DirectoryRoles that current user is a member of . For example , if user is a global administrator in your AAD , and belongs to one group . With group claims you will get two records(1 groups and 1 directory role) .

If you to want to get all of the groups(no DirectoryRoles) that the user has direct or transitive membership in , we could call the getMemberGroups function using Azure AD Graph API .

In your scenario , to check whether user is in your admin group , you can check whether object ID of admin group exists in groups claim . If exists ,the user belongs to admin group .