Update 23.2.2015: Group memberships are now included in the access token and you might want to consider using the new Application Roles functionality instead. Check the new blog post for info.
I’ve been working with Azure Active Directory and claims-based authentication on several occasions lately. I like the model and where it’s all going but the fast development pace of Azure AD combined with the ever-changing ASP.net authentication introduces some new problems from time to time.
One such problem on what I didn’t find good documentation or a blog post on was how to do group-based authorization in Azure AD. Azure AD has had the concept of groups for a while now and especially in an enterprise scenario they’re a common way to restrict access to resources.
In my case I was using the ASP.net MVC 5 & OWIN middleware and the it’s authentication setup is different, albeit more simple than the previous configuration-based approach. So after a while of searching it became apparent that I can still use the ASP.net MVC
[Authorize(Role="Admin")] attribute for authorization, I just needed to inject the roles as claims myself. Most of the idea has already been documented at this blog post.
That post, however, doesn’t use OWIN but the old approach and the claims transformation phase is different in OWIN as there’s now ClaimsAuthorizationManager (I think). Or at least I didn’t see configuration for one anywhere so changing it might be problematic. Then I ended up reading Tero’s blog post about claims transformation in OWIN and the picture started to be complete.
So in the end I’ve added a callback on
CookieAuthenticationProvider.OnResponseSignIn and read user’s roles from Azure AD at that point. I’m only checking a membership of a single predefined role so I can use the isMemberOf Graph API method. After adding NuGet packages ADAL and Graph API client library and a bit of coding, the final solution looks like this:
Now in the controller it’s possible to restrict access using the same approach as with normal ASP.net roles or on-premise AD groups:
This is especially nice from the controller point-of-view as no code changes were needed to read the roles from Azure AD.
Disclaimer: This code is for demonstrating the idea only. It has several points of improvements: standard ADAL in-memory token cache is used, role membership is only checked when logging in, etc. YMMV.