分享程序员开发的那些事...
更新时间:2023-02-21 10:11:03
当用户登录应用程序时,来自 Azure AD 的传入令牌将包含 组声明,一旦你适当地修改了应用程序的清单 (有关步骤,请参阅下面的示例应用程序链接).然后,您的应用程序代码可以读取这些声明并根据它们做出授权决策.
这是一个基于组声明进行授权的示例应用程序 -
您已经特别询问了有关组的问题,但您还应该考虑使用应用程序角色,它可以帮助您实现基于角色的授权逻辑.查看 Microsoft 文档链接
I am looking help for ASP.NET MVC application. Which authenticate single tenant azure active directory users and can authorize users using active directory security group. i.e. if user is part of that security group then only allow access to website otherwise access denied.
Active directory authentication can be done by visual studio itself using wizard but not sure how to perform authorization through AAD security group.
P.S. I am new to ASP.NET security
When a user signs into the application, incoming token from Azure AD will contain group claims, once you modify the application's manifest appropriately (see the sample application link below for steps). Your application code can then read these claims and make authorization decisions based on them.
Here is a sample application that does authorization based on group claims -
Authorization in a web app using Azure AD groups & group claims
You have specifically asked about Groups, but you should also consider using Application Roles, which can help you implement a Role based authorization logic. Look at Microsoft documentation link Application Roles. Here is a link to another similar question where I have provided a little more detailed information on both Application Roles and Groups and links to sample code for both. Azure Active Directory Integration with Custom RBAC
Once you understand the usage/purpose of application roles and groups, it's completely possible for you to decide that you want to base your authorization logic on a combination of Roles and Groups information for the signed in user instead of just one.
In case when a user is part of many groups (6 or more AFAIK), Azure AD token doesn't send across the "groups" directly as part of token, instead it sends an overage indicator and then you can query the groups in a separate call. Take a look at the token related documentation here - Claims in id_tokens