单个用户的Azure Active Directory组成员身份检查

Question

If one has an Azure App Service, what is the optimal, simplest way to check if a given authenticated User is a member of a given AAD Group?

The MSDN documentation for how to query AAD group membership is nightmarish, bouncing people between Microsoft Graph, Azure Active Directory Graph API, client-side endpoints and server-side code that seems to require an impossible number of IDs -- maintained between portal.azure and one's web.config.

Has anyone found an optimal way, C# .Net side, to simply look at an AAD group and match membership? (I have tried to do Claims using a Registered Azure App with Groups set to All and that path seems way too complex...)

If you have a preferred tutorial to help answer this, would be much appreciated, as MS is deprecating libraries faster than their explanation of how the old ones even worked...

Answer 1

The old way would be to use the Graph API and the isMemberOf function to do a transitive check if a user is in a group. And, you can still do that today if you want.

The new way is to use the Microsoft Graph API . And as you probably know from your research, this is where the engineering teams are investing going forward. So, you should use the checkMemberGroups function in this API going forward.

There is a C# client library for the Microsoft Graph API you can use. I'm assuming you prefer this since you tagged the question with C#. As for a sample, you could look in the GitHub repository here to see how the unit tests are constructed to check a user for group membership, which essentially is a call to CheckMemberGroups , which you can see in this file .