4

I am trying to set up role based access via groups for my application on azure. I've followed following articles (Sorry for posting links as code, wasn't allowed to post more than 1 link). However my app doesn't receive any group claims.

https://www.simple-talk.com/cloud/security-and-compliance/azure-active-directory-part-4-group-claims/

http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/

What I've done so far

Manifest file

    "appId": "d754a979-689d-45f8-8c63-983de55840da"
"appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Manager",
      "id": "1e06dae5-467a-40cf-a9a6-14baf3969472",
      "isEnabled": true,
      "description": "Manages",
      "value": "Manager"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Issuer",
      "id": "da85f458-720d-4c09-861f-92f5c465ee3e",
      "isEnabled": true,
      "description": "Issues",
      "value": "Issuer"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Supervisor",
      "id": "d64807d4-6e12-4637-a049-2a61b250507b",
      "isEnabled": true,
      "description": "Can perform any function",
      "value": "Supervisor"
    }
  ],
  "availableToOtherTenants": false,
  "displayName": "traffic",
  "errorUrl": null,
  "groupMembershipClaims": "SecurityGroup",
  "homepage": "https://myapp.ca",
  "identifierUris": [
    "https://myapp.azurewebsites.net/"
  ],

Also added relevant groups to app on azure (assume that the group contains at least one user) Groups Assignment on Azure

But I don't get any group claims in my app. The following code results in a count of zero, always. Any ideas? Thanks in advance.

var claims = ClaimsPrincipal.Current.Claims.Where(c => c.Type == "groups");

            Debug.Print("Total Group Claims in HomeController #### "+claims.Count());

            foreach (Claim c in claims)
            {
                Debug.Print("%%%%%%%% " + c.Value + " %%% VALUETYPE %%% " + c.Type);
            }
Madcap
  • 81
  • 1
  • 9

5 Answers5

1

Problem solved. I was barking up the wrong app profile. There are numerous apps registered with my AD (sandbox, testing etc.). Turns out that I was editing the wrong profile. The steps I mentioned in my problem do work. Thanks @Fei Xue - MSFT for your time and help.

Madcap
  • 81
  • 1
  • 9
1

Another issue I encountered here is the good old: patience!

After you have changed the groupMembershipClaims in the Manifest from null to SecurityGroup, you need to wait for it.. sometimes up to an hour. I thought I missed permissions and whatnot, but no extra permissions are required as long as the user logging in has access to read groups from AD (which they usually do).

So to get group authorization to work with Azure AD:

  1. Open visual studio
  2. Create a new Web app
  3. Choose authentication - choose Work or School account (leave Read directory blank)
  4. Go to the new app in Azure AD -> App registration and change groupMembershipClaims to SecurityGroup in the Manifest file and save it.
  5. Wait for atleast an hour.
  6. Test that you are getting group claims by putting this in the index file:

<table class="table">
    @foreach (var claim in User.Claims)
    {
        <tr>
            <td>@claim.Type</td>
            <td>@claim.Value</td>
        </tr>
    }
    </table>
Morten_564834
  • 1,479
  • 3
  • 15
  • 26
1

I had a similar issue of groups not being returned as claims.

To fix it, I did two things:

  • Under Azure AD, App Registrations, [the app reg used to access the AD], Token Configuration, there is a button: "Add groups claim". I ticked all the boxes. I can confirm that this step was necessary.

  • In the same screen, the left menu also features "API permissions". Initially I had only "User.Read". I had "User.ReadAll", "Directory.Read", and "Directory.ReadAll". I had done this before the other step, so I am not sure if it was necessary.

Timo
  • 7,992
  • 4
  • 49
  • 67
0

Since you specify the SecurityGroup in the application's manifest, the Azure AD only issue such type group claims. You can change the SecurityGroup to All to make the Azure AD issue all kinds of group claims.

And also be ensure that the user is a member of less than like 150 groups because there is a limit of numbers of groups( refer here).

And make sure that the user sign-in the web app have been assigned the group. You can refer the code sample active-directory-dotnet-webapp-groupclaims to show the group claims.

Community
  • 1
  • 1
Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • Thanks Fei Xue. Tried and verified all those steps already. Doesn't work :( Not sure if I am missing something...if there are any additional steps involved since I am deploying my app to Azure. – Madcap Mar 15 '17 at 16:46
  • Deploy to Azure will no affect this behavior. And there is no other additional step to issue the group claims in id_token. I suggest that you follow the [active-directory-dotnet-webapp-groupclaims](https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims) to test it from scratch which should work well. – Fei Xue Mar 17 '17 at 07:27
0

If you configured group filtering in the associated Enterprise Application in the Single Sign On page, make sure that the filter matches the Group your user is a member of.

Very bizarrely, the group filtering feature is described in this topic. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#group-filtering

JJS
  • 6,431
  • 1
  • 54
  • 70