8

I would like to add Authorization to a web API written in Asp.Net Core using Azure AD B2C. I already have the Authentication part working, and now I would like to add "Roles" to my application, like "Administrators", and probably in the future more specific roles.

I've seen samples with Azure AD adding "Application roles", but can't find anything for AD B2C. There doesn't seem to be anything in the Azure Portal, neither anything in the documentation.

Is it possible to add custom application roles to Azure AD B2C?

Ogglas
  • 62,132
  • 37
  • 328
  • 418
Gimly
  • 5,975
  • 3
  • 40
  • 75
  • 1
    FYI: [Azure B2C: How do I get “group” claim in JWT token](https://stackoverflow.com/questions/41438417/azure-b2c-how-do-i-get-group-claim-in-jwt-token) – spottedmahn Oct 23 '17 at 14:02
  • 1
    And this one too: [Is it possible to add custom attributes to a group in Azure AD B2C](https://stackoverflow.com/questions/44947258/is-it-possible-to-add-custom-attributes-to-a-group-in-azure-ad-b2c) – spottedmahn Oct 23 '17 at 14:07
  • @spottedmahn I've seen that, but group isn't the same as application roles as far as I understand. Groups are global to the Azure AD B2C Tenant, so they're the same for all applications. – Gimly Oct 23 '17 at 14:08
  • Ah, I see. Yes, groups are at the tenant level not app level. – spottedmahn Oct 23 '17 at 14:10
  • 1
    We will have a few application using Azure AD B2C and each will have their own set of roles, and even if they all have "admin" role, a user which is admin of an app might not be admin of another. – Gimly Oct 23 '17 at 14:12
  • Does this answer your question? [Authorize By Group in Azure Active Directory B2C](https://stackoverflow.com/questions/40302231/authorize-by-group-in-azure-active-directory-b2c) – Ogglas Jan 31 '22 at 10:36

2 Answers2

4

Application roles are not currently supported in Azure AD B2C. You may want to use Azure feedback portal to add this request or vote for an existing one.

Omer Iqbal
  • 2,245
  • 10
  • 15
  • 2
    Thanks for the answer, marking as answered even if it doesn't really help my use case. I've added the suggestion here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31997947-support-application-specific-roles-in-b2c – Gimly Oct 24 '17 at 06:30
  • 3
    Yes, unfortunately, it is the correct answer for now. :-) Hopefully, it will save others time when they search about this feature. – Omer Iqbal Oct 24 '17 at 06:47
0

Create AD groups that you want to function as roles (for instance AppAdministrator) and then override the RolePrinicpal.IsInRole method to check to see whether the user is in that AD group. It provides the same functionality you're looking for. Here's a good rundown explaining how this works: Authorize By Group in Azure Active Directory B2C

codeMonkey
  • 4,134
  • 2
  • 31
  • 50