implementing azure group based access in an MVC5 app - azure

I'm new to azure active directory and I'm trying to implement a group based access mechanism in my mvc5 (C#) app. I have the Azure side sorted, my users are assigned to groups but I want to be able to determine which group they are in to control access to areas within the web app. (similar to roles based access)
so I need something like this
if (User.IsInGroup("Admin") || User.IsIngroup("Creator"))
{
//do something here
}
there are only 2 groups so I don't really need roles. I've looked at a few options using the graph api and they seem like massive overkill for what I'm trying to achieve. Whats the best way to implement this ? Do I need to implement the graph API ? Id appreciate any advice

You could enable Group Claims in Azure AD app, that will makes it simple to enable access management using AD groups. To enable your application to receive group claims :
1.In your application page, click on "Manifest" to open the inline manifest editor.
2.Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "All" (or to "SecurityGroup" if you are not interested in Distribution Lists).
3.Save the manifest.
Then when user login , you will get the groups information in token ,but it will return the object id of group(that is unique identity, group name could be changed).Please click here and here for more details , also see the new groups claim sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet
Please let me know if it helps .

Related

How can i add Custom Attributes to my Azure AD tenant members (Not B2C users)

I have an Azure AD tenant and I am looking for a way to include extra attributes while creating members within my organization. I have poked around the interface and can't find a way to achieve this on the Azure portal. From my findings, I can see tones of documentation and blog posts on how to achieve this using the B2C feature and graph API for external customers. However, this does not meet my requirements.
I believe this is a basic requirement that should be possible on Azure AD. Can someone please point me to the right documentation to achieve this?
Azure portal doesn't provide such a feature but we can archive this using Microsoft Graph API: Create extensionProperty.
You need to specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for a user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}

Azure group claim returns Object ID - Need group name

Have been using Azure for Single Sign On.
For group claims, during the assertion we see only the security group object ID during the response.
e4feedb1-df0e-46ff-8a02-e63474015610
Is it possible to get Group name here in response instead of groups Object ID
If (and only if) the groups in question are groups which have been synced from on-premises AD, you can configure the groups claim to include the on-premises sAMAccountName or the on-premises SID.
Note: Including the display name is not supported. (Display names are not unique, and in most organization, any user is able to create and manage their own groups, making any sort of authorization decision based on group display names a very risky proposition.)
To issue group can be done both for gallery or non-gallery (i.e. custom) SAML apps (i.e. under Enteprise apps), through the app registration in the Azure portal (App registrations > Token configuration), or directly on the app registration's Application object by updating the optionalClaims property (e.g. via the manifest editor or through Microsoft Graph).
https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-group-claims
I'm afraid that it's only supported to get the object ids currently.
You need to call Microsoft Graph to get the Group name.
If you do need this feature, upvote this post on UserVoice and it may be implemented in the future.
A similar question which is answered by Microsoft Engineer here.

Microsoft GraphAPI: How do I retrieve the assigned groups of an azure user?

As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.

Azure AD B2C Custom Edit profile page

I'm working with Azure B2C from a MVC (4.6) WebApp. I've followed this guide to make it work and it's all good:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet
However, regarding the Edit Profile Policy, I need custom values coming from another system for a specific User profile property (i.e: Favorite Categories, coming from a custom Categories table). I don't want to add all the possible categories to the User profile property settings in the Azure portal, cos values can change frequently. So, couple of questions:
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
The only approach that seems will work is to call the Graph API from code, following this article (but it requires to register another App from PowerShell, and also, execute the action with an App Token, instead of the current logged user):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any help would be very appreciate it.
Thanks a lot.
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
No. All the users use the policy you config on the portal. We can create multiple profile edit policy and choose the right policy based on you business with custom code.
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
No. It is impossible. As you mentioned, if you want to update the users profile programatically, the Azure AD Graph is recommend.
you not able use JS, but you able customize with css;
(enable cors to ms login domain on your web app etc)
see msdm docs all are desribed;
you able add custom properties in AD B2C to user sign up; so to edit profile should be possible too;
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization

Azure Active Directory Object Permissions

I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/

Resources