Azure AD and Group-based authorization

"Hello World!"

In my previous post I talked about how to use Azure AD to secure an Asp.Net Core web API project. If we want to go further than just protect our web API, we can use groups to further customize the access. A typical example is to restrict the access only for users belonging to a specific group.
Each directory user can be part of one or more groups, so we can leverage this membership to allow or deny the access to our API based on the calling user attributes.
This is quite easy to implement, as Asp.Net Core uses the same authorization attribute we are used to:

 [Authorize(Policy = "Admins")]
public IActionResult Get(int id)
{
   return Json(id);
}

As you can see we need to use the Policy property to specify the rules that apply to the decorated member. This obviously requires defining our access policies (the rules) during the startup phase:

 services.AddAuthorization(options => {
   options.AddPolicy("Admins",
           policyBuilder => policyBuilder.RequireClaim("groups",
           "f761047b-2f49-4d8e-903c-1234567890cc"));
});

We simply check the presence of a specific group in the claims set of the calling user. In other words, means the user must belong to this particular group in order to access. Note that we need to use the GUID of the group and not the group name as the access_token we receive from Azure Ad uses a list of GUIDs to describe the user membership.

Because by default the list of groups the user belongs to is not sent by Azure AD, we need to manually edit the manifest:

 "groupMembershipClaims":"SecurityGroup"