Azure App Service Authentication–AAD Groups

  • Article

Overview

I wanted an easy way to leverage Azure AD Groups in my application.  Thanks to Dushyant and my previous post on App Roles, I was able to throw together a sample.  references: Authorization in Cloud Applications using AD Groups , Azure App Service Authentication – App Roles 

NOTE: If your user/org uses many groups, it is possible that the groups claim will not be returned due to size of the claims.  In that case you would need to give your application rights to read the directory and get the groups information by using the Graph APIs.

Configure Web App for Azure Active Directory Authentication

Configure Azure Active Directory for your application using the Express Settings:

capture20170313090646159

This will create a new application in Azure Active Directory for you with the name of the App as default.  Make sure you save your changes by hitting OK in this screen and then Save in the next:

capture20170313090837766

Configure Manifest to include Group Claims in Auth Token

Go to Azure Active Directory to configure the Manifest.  Click on Azure Active Directory, and go to App registrations to find your application:

snip_20170313091310

Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it:

snip_20170313091523

Locate the “groupMembershipClaims” setting. Set its value to either “SecurityGroup” or “All”.  To help you decide which:

    “SecurityGroup” - groups claim will contain the identifiers of all security groups of which the user is a member.

    “All” - groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member

Here I set it to “SecurityGroup” for my application (NOTE: this could be a HUGE list if you choose “All” and the individual is member of lots of DLs so use judiciously for performance reasons).  Now hit ‘Save’:

snip_20170313092821

Now your application will include group claims in your manifest and you can use this fact in your Code!

Code to easily use Groups

You could test the OID of the groups you assign to users directly in code.  For example if the groups claim contains the OID 3298384-3aaafe0-3343… But that is hard to read and implement everywhere you want to use it.  Also you cannot take advantage of the classes that use the Roles type.  For instance, you can deny access to a page based on the Role by specifying it in the Web.Config.  Read my previous blog on this:  Azure App Service Authentication – App Roles

I chose to implement the same strategy as the above referenced post.  I read the groups and assign it to Roles in the authentication pipeline!  Rather than use the ugly OID Guid, I will use a friendly name and I can easily add this to the Web.Config and/or App Settings in the portal as needed.

How to get OID

Simply look up the Group OIDs in your portal!  Here is the ‘Worker’ group OID:

snip_20170313122047

I did the same for the ‘Worker’ group and then added these as app settings to the Web.Config (you can also just add them to the portal).

The Key will be the OID and the Value is the friendly value:”"

 <configuration>
  <appSettings>
        <add key="7d04bcd3-3c48-49ab-a064-c0b7d69896da" value="Managers" />
        <add key="9c9489dd-84a5-4fd3-8fb0-b84594262d42" value="Worker" /> 
    </appSettings>

Now I will edit the previous code from the reference blog to fix up the Roles based on the user Groups membership:

                 foreach (Claim claim in ClaimsPrincipal.Current.FindAll("groups"))
                {
                    // use the OID and get a friendly name to use as the role (if it exists)
                    var groupStringValue = System.Configuration.ConfigurationManager.AppSettings[claim.Value];
                    if (groupStringValue != null)
                    {
                        // build the list
                        appRoles.Add(new Claim(claimsIdentity.RoleClaimType, groupStringValue));
                    }
                }

Finally add some access rules based on these assigned roles just like before!

         
    [Authorize(Roles = "Managers")]
    public class TestAdminAccessController : ApiController
    {

Summary

This is just one way to use Azure Active Director (AAD) Groups in your Azure App Service and configure it quickly and easily.

Note: Azure AD caps at 200 the number of groups that can be sent via JWT format. If the user  belongs to more than 200 groups, Azure AD does not pass any group claims; rather, it sends an overage claim that provides the app with the URI to use for retrieving the user’s groups information via the Graph API.  You should change the appRoles.Add section to accommodate this (subject of a later post or better yet read: Modern Authentication with Azure Active Directory for Web Applications)

If you found this helpful, please drop me a note!