I want to restrict access of user to particular objects say specific classrooms say class room A and Class room B. My understanding is that I can have a B2C scope say
AccessClassRoom but not specific Class Rooms. For User Specific data I should not use scopes. Let me know if my understanding is correct
You are correct.
Permissions/roles and scopes provide the two halves for this user access control.
Scopes -- such as AccessClassRoom -- determine whether an authorized application can access data on behalf of an authorizing/consenting user if this user, through their permission/role assignment/s, is permitted to do so.
Azure AD B2C doesn't have any current support for managing permissions/roles and assignments of them to users.
It does, however, have support for managing scopes and assignments of them to applications.
Related
I am designing a REST API in which there are several user types:
disabled user
standard user
support user
admin
root
for each user, there are certain properties assigned to them in a relational database.
For example files, messages, payments, ...
Let's say I want users with higher ranks to be able to handle data related to lower ranks (e.g. an admin can modify a standard user's properties)
How can I implement it in a way that I make sure the authorization functionality is separated from the process (CRUD process).
I want something like this:
api.Get("/users/:id", authorization, processHandler)
I am using the echo framework and Golang, but I don't think that really matters. I am looking for a general solution independent of language.
Maybe you have Roles and Permissions problems, that problem has a solution when you control the access level by JWT token (for example).
You have a table with enabled system permissions and your users have associated or assigned permissions, this "association" can be managed through the Roles and Permissions manager (CRUD). So when you need to associate permissions to a user, you have to create a relationship between the permissions and the user. Then, send the new "state" in the token (JWT).
So finally you have a "middleware" on your routes like this
api.Get ("/ users /: id", authorization, processHandler)
And your authorization role has the responsibility to check if your user has the permissions to use the endpoint.
We're using Active Directory Groups for different customers and their employees. It's straightforward configuring a group accessToken claim for authenticated users. Now, when an app does not act in behalf of a user but in behalf of itself (client_credentials flow), and the app is member in an AD Group, is it possible to configure an accessToken claim for the application's membership? If so, how?
I have tried to configure it in Azure/Active Directory/Token configuration but it gives only the group of users that are authenticated and not that of the app itself.
Thank you.
I think there is a problem with your description. You said in the question: and the app is member in an AD Group. As far as I know, the members of a group can only be users, organization contacts, service leaders or other groups, and there is no application.
I think what you want to say is that you assigned users or groups to the application (please correct me if my understanding is wrong), like this:
As far as I know, there is no group claim for application tokens(The user token has a group claim, as you said in the question),because application is not a member of group.
If you want to get the group assigned to the application, MS graph api is a good choice:
https://graph.microsoft.com/beta/servicePrincipals/{id}/appRoleAssignedTo
You need to replace {id} with Object ID:
I need to create multiple users in same AD and need to isolate the resources created by one user from other user.Is it really possible.since I am new to Azure I am not aware that this is really possible.It would be great if some one render their hands to advice on this.
There is no absolute isolation, there are only certain restrictions.
The users created in the AAD tenant are all the Members by default, they have the default permissions e.g. Read all properties of groups, Read properties of registered and enterprise applications. So if user A created some resources e.g. group, application, the user B will also be able to read the properties of them.
There are some restrictions, like Manage properties, ownership, and membership of groups the user owns, Manage application properties, assignments, and credentials for owned applications. This means some properties of the resources can just be managed by the Owner of them.
For more details about the default user permissions, you could refer to https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
And if the user is assigned as the admin role in the tenant, he will have more permissions than the default users, see https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
I want to use custom attributes in AAD B2C as a shortcut for authorization. I would love to set values on users that I can use in my apis to know what they have access to do.
I see that I can create a User flow for a user to edit their own attributes, but that is the opposite of what I want.
If I don't create a user flow to edit the attribute, can I be confident that the user can't edit it on their own through Microsoft Graph or something like that? I tried doing it through graph but I can't tell if I did something wrong or if the user is not allowed to change it.
It is better not to depend on User attributes for authorization. As user profile information (user attributes)can be managed by the user self or organization level.
I don't think users can adjust their own attributes if they don't have the graph permissions in Azure. When signing in your users within your application you can allow them to access certain scopes. As long as they cant access these scopes they cannot perform any actions on the graph API. Updating user details would in this case require 'User.ReadWrite' scope assigned.
I can Authenticate user in Active directory but I need to know can we authenticate a specific user in group if we have multiple groups.
Basically I am redirecting to http://[mydirectory].onmicrosoft.com and validating the user but I need to know do we have mechanism to validate a user from specific group so that I can give access according to that.
Assuming this is Azure AD (and not on-premises Windows Server AD), then you have three options to restrict access to an application via groups.
Option 1: Require user/group assignment to application
This is the only option that does not require adding authorization logic in your application.
When configuring your application in the classic Azure portal, you can set the application to require user assignment:
Then, under "Users and Groups" for that application, you can choose which individual users or groups should have access to the application.
The most important thing to consider here is that this will only apply to direct members of the group, not to nested members.
Option 2: Request group claims
This option will allow you to request that the token returned to the application after a user has signed in contain the list of groups that the user is a member of. This includes groups that they are transitive members of (i.e. nested groups).
From your application's configuration page in the classic Azure portal, you can download and upload the app's manifest JSON file. In the manifest, locate the "groupMembershipClaims" attribute, and set it to "All" or "SecurityGroup" (the latter will exclude distribution lists).
Once this is set, after the user signs in, the resulting token will have a groups claim that contains a list of group object IDs that the user is a member of. Your application can then use these claims to decide whether or not the user should have access.
Dushyant Gill goes into group claims in detail in his blog post: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ (archive.org link)
The important consideration here is that there is a limit to the number of groups that can be returned. If the user is a member of more groups that this limit, then an "overage" claim is issued, and your application will need to make an Azure AD Graph API call to get the full list. (This is also described in Dushyant's blog post.)
Option 3: Use the the Microsoft Graph API or the Azure AD Graph API directly
The final option is to simply call the Microsoft Graph API (or the Azure AD Graph API, they both act almost identically for this) to establish if the signed in user is a member of a given group. Your application can then make the authorization decision.
There are several approaches you can take (these are all transitive checks, so nested groups are supported):
isMemberOf to check whether a the user is a member of a specified (single) group. This is the simplest if a single group should grant access to your app.
checkMemberGroups to check if the user is a member of any groups in a list of groups. This is useful if different groups grant different roles or permissions in your application.
getMemberGroups to return the full list of groups the user is a member of. This is generally not particularly useful for doing authorization checks.