.Net Core Azure AD Cloud how to get logged in user and access their Azure AD Security Groups to determine if they are in a group
Question
Azure AD Cloud how to get logged in user and access their Azure AD Security Groups to determine if they are in a group? I have used WindowsIdentity to get this information in the past when we had AD on premises but it doesn't work for Azure AD cloud. How could I get the logged on user information and all the security groups they are a member of? I am lost on how to do this. I have spent a lot of time trying to find answers but no luck.
1 answers
solution1
2 2019-04-26 03:48:33
There are two possible ways you could do this:
Use relevant Microsoft Graph APIs to query group information
Here are a couple of API's that seem relevant (you may find some others too)
Check member groups - This one will be helpful if you already know a set of groups that you want to check/validate membership against an already known list of groups and take some decisions.
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/checkMemberGroupsIn request body, you can provide
groupdIds, ie a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.{ "groupIds": [ "fee2c45b-915a-4a64b130f4eb9e75525e", "4fe90ae065a-478b9400e0a0e1cbd540" ] }user: getMemberGroups - This one will be helpful if you want to get all the groups that this user belongs to. Returns all the groups that the user is a member of.
Check for this one is Transitive, so you're assured that all groups will be returned. Upto 2046 returned as part of 1 request. It also works with O365 groups and you can filter down to SecurityEnabled groups using a parameter
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroupsGetting Group Membership Claims as part of Token
You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims" property to "All" or "SecurityGroup" as needed.
Once application manifest is updated as mentioned above, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token
Comparing approaches and limit on the number of groups that can be returned as part of token
Approach with Microsoft Graph API could have a couple of advantages, so choose appropriately based on your application's requirements/scenarios you want to support.
You don't need to worry about overage scenario with Microsoft Graph API
When you enable groupMembershipClaims to come in as part of token, if a user is part of too many groups, to ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to use the Graph API to retrieve the user's group membership.
Access token will only include group Ids, if you need any other information like name of the group or any other property you need to query using Microsoft Graph API again.
Consider using Application Roles
Since you mention that you're about to use Group membership information to make some authorization decisions, please do know that Azure AD also provides a feature to define application specific roles that can then be assigned to users and help in making authorization decisions.
You can read more about it here on Microsoft Docs . These can be used alone or even in combination with group claims to take authorization decisions. These links might help as well.
Code Samples
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.