0

I can Authenticate user in Active directory but I need to know can we authenticate a specific user in group if we have multiple groups. Basically I am redirecting to http://[mydirectory].onmicrosoft.com and validating the user but I need to know do we have mechanism to validate a user from specific group so that I can give access according to that.

Bhanu Reddy
  • 205
  • 3
  • 12
  • I think you're mixing authentication and authorization. Once a user is authenticated successfully (i.e. they are able to login properly), you can define authorization rules in your application based on the user's group to allow/deny access to certain parts of the application. – Gaurav Mantri Jun 08 '16 at 05:40
  • are you using graph api ? if so you can use the checkMemberGroups method. https://msdn.microsoft.com/library/azure/ad/graph/api/functions-and-actions#checkMemberGroups As mentioned in the previous comment what you are trying to achieve is role based "Authorization" – Aravind Jun 08 '16 at 07:40
  • Do you have any sample to authorize group based on user credential. Currently I am redirecting to http://[mydirectory].onmicrosoft.com and authenticating. After authenticating I am not getting any token so that I can validate with Active directory group. – Bhanu Reddy Jun 08 '16 at 07:45

1 Answers1

4

Assuming this is Azure AD (and not on-premises Windows Server AD), then you have three options to restrict access to an application via groups.

Option 1: Require user/group assignment to application

This is the only option that does not require adding authorization logic in your application.

When configuring your application in the classic Azure portal, you can set the application to require user assignment:

Toggle for 'User assignment to app required'

Then, under "Users and Groups" for that application, you can choose which individual users or groups should have access to the application.

The most important thing to consider here is that this will only apply to direct members of the group, not to nested members.

Option 2: Request group claims

This option will allow you to request that the token returned to the application after a user has signed in contain the list of groups that the user is a member of. This includes groups that they are transitive members of (i.e. nested groups).

From your application's configuration page in the classic Azure portal, you can download and upload the app's manifest JSON file. In the manifest, locate the "groupMembershipClaims" attribute, and set it to "All" or "SecurityGroup" (the latter will exclude distribution lists).

Once this is set, after the user signs in, the resulting token will have a groups claim that contains a list of group object IDs that the user is a member of. Your application can then use these claims to decide whether or not the user should have access.

Dushyant Gill goes into group claims in detail in his blog post: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ (archive.org link)

The important consideration here is that there is a limit to the number of groups that can be returned. If the user is a member of more groups that this limit, then an "overage" claim is issued, and your application will need to make an Azure AD Graph API call to get the full list. (This is also described in Dushyant's blog post.)

Option 3: Use the the Microsoft Graph API or the Azure AD Graph API directly

The final option is to simply call the Microsoft Graph API (or the Azure AD Graph API, they both act almost identically for this) to establish if the signed in user is a member of a given group. Your application can then make the authorization decision.

There are several approaches you can take (these are all transitive checks, so nested groups are supported):

  • isMemberOf to check whether a the user is a member of a specified (single) group. This is the simplest if a single group should grant access to your app.
  • checkMemberGroups to check if the user is a member of any groups in a list of groups. This is useful if different groups grant different roles or permissions in your application.
  • getMemberGroups to return the full list of groups the user is a member of. This is generally not particularly useful for doing authorization checks.
Zacharious
  • 515
  • 4
  • 13
Philippe Signoret
  • 13,299
  • 1
  • 40
  • 58
  • what about Windows Server AD then ? where should I start :) – martis martis May 22 '20 at 11:55
  • @martismartis Start with a web search, and if you don't find the answer, your best option is to ask a new question (which it appears [you did](https://stackoverflow.com/questions/61938105/windows-server-2016-identity-group)). – Philippe Signoret May 25 '20 at 11:52