Authorize users with Azure Active Directory in ASP.NET Core
In the previous article
we discussed how to integrate Azure AD authentication in an ASP.NET Core web
application. Continuing from where we left, this article shows how to authorize
users based on their AD groups.
First of all you need to create required groups in Azure AD and then assign
one or more groups to a user account. So, open the Azure AD that you used last
time and locate the Groups options as shown below:
Then click on New Group to open this page:
Specify a group name (say, TestGroup) and also select which user accounts
should be part of the group being created. To do so click on the Members option
and search / select user accounts. Click Create to create the group.
You can add users to a group later also. You can even do this from a user
account page rather than from group page.
Once a group is created, go to its page and note down its Object Id:
You will need this Object Id in your ASP.NET Core web application.
Next, go to your registered application and select the Manifest option.
This will open Manifest editor where you can modify the manifest. In the
editor, set the groupMembershipClaims property to SecurityGroup. You need to do
this since your web application wants to read group information to perform
authorization.
OK. So, now we have TestGroup ready and user1 account (or whatever user
account you created earlier) has been assigned this group.
Open the same web application that you created with the
previous article. Then
open appsettings.json file and add the following section to it:
"AzureADGroup": {
"TestGroupId": "YOUR_GROUP_OBJECT_ID_HERE"
}
The AzureADGroup section stores the group's Object Id in a key named
TestGroupId.
Next, open Startup class and add the following code to its ConfigureServices()
method.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(
AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options =>
Configuration.Bind("AzureAD", options));
services.AddAuthorization(options => {
options.AddPolicy("TestGroupPolicy", policyBuilder =>
policyBuilder.RequireClaim("groups",
Configuration.GetValue<string>("AzureADGroup:TestGroupId")));
});
services.AddControllersWithViews();
services.AddRazorPages();
}
As you can see, AddAuthorization() method enables policy based authorization
by defining an authorization policy named TestGroupPolicy. The TestGroupPolicy
specifies a condition that a user is required to have groups claim whose value
matches the TestGroup's Object Id (picked from appsettings.json).
You can define more than one policies here but for our purpose
TestGroupPolicy is sufficient.
Then go to Index() action in HomeController and change the [Authorize]
attribute like this:
[Authorize(Policy ="TestGroupPolicy")]
public IActionResult Index()
{
ViewBag.UserName = User.Identity.Name;
return View();
}
The [Authorize] attribute now sets the Policy property to TestGroupPolicy.
If you try to sign-in with a user account that has been assigned TestGroup
group, you will see sign-in success message as before. However, if you sign-in
with a user account that is not a part of TestGroup you will get Access denied
error.
That's it for now! Keep coding!!
