Authentication using Azure Active Directory

Question

I have created a group on the azure portal for aad authentication. I want a user that is not in either group (but exists in AAD) - should not even be able to login to the site. I am using asp.net core as backend

Answer 1

If you want to config your application to receive group claims, you need to set the " groupMembershipClaims " value as SecurityGroup in the Manifest file.

1. In your application settings page on the Application Registration Portal, click on "Manifest" to open the inline manifest editor.

2. Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "SecurityGroup".

3. Save the manifest.

    {
      ...
      "errorUrl": null,
      "groupMembershipClaims": "SecurityGroup",
      ...
    }

When the groups claim is enabled for an application, Azure AD includes a claim in the JWT and SAML tokens that contains the object identifiers (objectId) of all the groups to which the user belongs, including transitive group membership.

But please note that to ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership. For more details, please refer to the blog .

So you need to do some process:

1. Check for the claim _claim_names with one of the values being groups. This indicates overage.

2. If found, make a call to the endpoint specified in _claim_sources to fetch user's groups.

3. If none found, look into the groups claim for user's groups.

Of course, you can directly call Microsoft Graph API to retire current user's groups without using group claims

Regarding how to authorize based on that groups, you can implement it by ASP.NET Core middleware libraries. The asp.net middleware supports roles populated from claims by specifying the claim in the RoleClaimType property of TokenValidationParameters . Since the groups claim contains the object ids of the security groups than actual names, you'd use the group ids instead of group names. For more details, please refer to the sample .

Startup.cs

// The following lines code instruct the asp.net core middleware to use the data in the "groups" claim in the Authorize attribute and User.IsInrole()
            // See https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-2.2 for more info.
            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                // Use the groups claim for populating roles
                options.TokenValidationParameters.RoleClaimType = "groups";
            });

Then using it

[Authorize(Roles = “Group-object-id")] // In controllers
// or
User.IsInRole("Group-object-id"); // In methods

Answer 2

I assume that you want to authenticate into AD using ASP.NET Core on Azure AD.

If you are using ASP.NET Core 2.1 or later, the easiest way is to use OpenID's OAuth2.0/OIDC flow against Azure AD. Azure AD also supports SAML 2.0, not just OAuth2.0/OIDC.

Using OAuth2.0 on Azure AD is recommended by Microsoft, because it's quite easier to learn and to implement than implementing SAML 2.0 on Azure AD.

Microsoft has provided a sample application using ASP.NET Core to demo authentication to Azure AD by using a specific library to help access Azure AD authentication, and it is called Microsoft Identity Platform (previously it was called MSAL 2.0).

The overview of Azure AD identities for software developer is available at: official MS Docs page of Azure AD's Microsoft Identity Platform

A list of sample applications of authenticating users to Azure AD is available at landing page of various Microsoft Identity Platform code samples

NOTES:

1. Your web application MUST BE registered first to be able to authenticate to Azure AD.
2. Your web application cannot use the OAuth2.0's "resource owner" grant model that pass userid and password directly to Azure AD, because web application must show consent screen to log in to Azure AD.

Answer 3

You can use groups claims in Azure AD, config the your application in azure portal to receive group claims by editing the manifest:

{
  ...
  "errorUrl": null,
  "groupMembershipClaims": "SecurityGroup",
  ...
}

ID token issued from Azure AD will include the current user's groups id list in groups claim, then in asp.net core application(3.0 for example), you can restrict the access by:

services.AddControllersWithViews(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
            .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    });

Note: From document :

If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then the Microsoft Identity Platform does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.