Authorize users with Azure Active Directory in ASP.NET Core

In the previous article we discussed how to integrate Azure AD authentication in an ASP.NET Core web application. Continuing from where we left, this article shows how to authorize users based on their AD groups.

First of all you need to create required groups in Azure AD and then assign one or more groups to a user account. So, open the Azure AD that you used last time and locate the Groups options as shown below:

Then click on New Group to open this page:

Specify a group name (say, TestGroup) and also select which user accounts should be part of the group being created. To do so click on the Members option and search / select user accounts. Click Create to create the group.

You can add users to a group later also. You can even do this from a user account page rather than from group page.

Once a group is created, go to its page and note down its Object Id:

You will need this Object Id in your ASP.NET Core web application.

Next, go to your registered application and select the Manifest option.

This will open Manifest editor where you can modify the manifest. In the editor, set the groupMembershipClaims property to SecurityGroup. You need to do this since your web application wants to read group information to perform authorization.

OK. So, now we have TestGroup ready and user1 account (or whatever user account you created earlier) has been assigned this group.

Open the same web application that you created with the previous article. Then open appsettings.json file and add the following section to it:

"AzureADGroup": {
  "TestGroupId": "YOUR_GROUP_OBJECT_ID_HERE"
}

The AzureADGroup section stores the group's Object Id in a key named TestGroupId.

Next, open Startup class and add the following code to its ConfigureServices() method.

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(
AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => 
Configuration.Bind("AzureAD", options));

    services.AddAuthorization(options => {
        options.AddPolicy("TestGroupPolicy", policyBuilder => 
policyBuilder.RequireClaim("groups", 
Configuration.GetValue<string>("AzureADGroup:TestGroupId")));
    });

    services.AddControllersWithViews();
    services.AddRazorPages();
}

As you can see, AddAuthorization() method enables policy based authorization by defining an authorization policy named TestGroupPolicy. The TestGroupPolicy specifies a condition that a user is required to have groups claim whose value matches the TestGroup's Object Id (picked from appsettings.json).

You can define more than one policies here but for our purpose TestGroupPolicy is sufficient.

Then go to Index() action in HomeController and change the [Authorize] attribute like this:

[Authorize(Policy ="TestGroupPolicy")]
public IActionResult Index()
{
    ViewBag.UserName = User.Identity.Name;
    return View();
}

The [Authorize] attribute now sets the Policy property to TestGroupPolicy.

If you try to sign-in with a user account that has been assigned TestGroup group, you will see sign-in success message as before. However, if you sign-in with a user account that is not a part of TestGroup you will get Access denied error.

That's it for now! Keep coding!!


Bipin Joshi is an independent software consultant, trainer, author, and meditation teacher. He has been programming, meditating, and teaching for 25+ years. He conducts instructor-led online training courses in ASP.NET family of technologies for individuals and small groups. He is a published author and has authored or co-authored books for Apress and Wrox press. Having embraced the Yoga way of life he also teaches Ajapa Yoga to interested individuals. To know more about him click here.

Get connected : Facebook  Twitter  LinkedIn  YouTube

Posted On : 19 August 2019


Tags : ASP.NET ASP.NET Core MVC C# Visual Studio