I'll answer generically and more specifically with what it is it appears you're trying to accomplish.
First - Azure AD and Windows Server AD are not the same thing. They both aim to solve the same problems but go about it radically different ways (as is to be expected - an untrusted non-domain environment like a cloud has significantly different infrastructure available).
Muddying that a bit further, Windows Server AD can be synchronized to Azure AD, but only object information - like users, groups, etc. so that information is available in Azure AD. But protocol level stuff, like Kerberos, is not available via Azure AD (well, except through stuff like Azure AD Domain Services, but that's more for legacy scenarios and wouldn't be applicable to Azure App Service where you're hosting your web app).
Anyway - so rather than having a trusted domain-joined server that can use Kerberos to talk to Windows Server AD, Azure AD relies on OAuth and more modern protocols that work over the web and without requiring a trusted server. An OAuth-protected web app or mobile app can work regardless of the hosting server. You can read more about AAD here: https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx
It appears you're trying to get a user's groups for authorization decisions and you're working in Azure App Service. You'll need to do two things:
- Authenticate to Azure AD, and
- Get additional authorization information from Azure AD
Authentication is fairly straightforward. Since you're in C#, most of this can be done via the ADAL library, which abstracts most of the complexity away for you. You can find samples in the Azure GitHub samples here:
The net for these steps is to
- Add an application registration to Azure AD
- This will give you a Client ID (and optionally, a secret, which you'll need later) that identifies your application uniquely in Azure AD
- Add the ADAL NuGet package to your app
- Let ADAL redirect users to Azure AD to sign in
- Consume the tokens after login and log the users into your app
You can find a complete sample here: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
This sample will get you through app registration and configuring ADAL to log users into your app. This will at least get you authenticated, so you'll know who your users are.
The next thing you'll want to do is either
- Include Azure AD Application Roles, which will be included in the claim set. You can use these to make authorization decisions (like [Authorize(Role=SomeRoleName)] similar to how you would with on-prem AD groups), OR
- Query the Azure AD or Microsoft Graph API to get additional user information, like group membership or other user properties.
All user information is stored in the Graph, so you'd query that for user info rather than on-prem AD via the PrincipalSearcher.
Here is a sample that uses Azure AD Application Roles: https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
And another that uses group claims (e.g., includes the group GUID in the returned claim set): https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Lastly, here is another sample that queries the AAD Graph to resolve the group GUIDs to group names, useful for migrating existing Windows AD code that checks authorization via groups: https://github.com/jpda/azure-ad-netcore-sample
Hope that helps.
