In October I blogged about using Azure AD groups for access control in an ASP.net application. While that post is still valid, using the groups just got easier, as the Azure team announced that user’s member group information is now returned in the access token itself. Ok, it seems to have been already announced in December but I just learned about it a week ago.
Even better, they’ve added support for application roles too. Essentially with roles, the application doesn’t have to care about groups and the authorization is done on AAD side by assigning users to roles. It’s all covered in that same blog post so head over there for details.