.NET Core Azure AD App Registration -- Allow access via groups

Question

Background

I have a .NET Core 3.1 web site deployed in a docker via Azure Web Apps for Containers.

The app is registered with my organization's Azure AD for only our organization, and users must be added to be granted access.

The site is working correctly for some time now with individual-based access. The app uses default access. If someone has access to the site at all, they have access to everything within the site.

Our Azure AD tenant is a Premium P2 Tenant.

Goal

I want to use a security group for access to the application rather than adding individuals to the app in Azure AD.

The problem

I head to the app registration within my organization's Azure AD
I select the Users and Groups menu
I add the group that contains the individuals I wish to authorize, with Default Access role (the only role available)
I remove the individuals (all are members of the group, which is our preferred access management)

Expected behavior

The users are still allowed access to the site, as the group is authorized and they are members of the group.

Actual behavior

The users are denied access unless I also add them as individuals.

In the logs, I see the following:

Message contains error: 'access_denied', error_description: 'AADSTS50105: The signed in user '{EmailHidden}' is not assigned to a role for the application '{Redacted GUID}'(Redacted App Name).

However, in this case, all the individuals are a part of the group that is registered, and the group has the same Default Access role that the individuals had been granted.

Things I have tried:

I have updated the application's manifest to set groupMembershipClaims to SecurityGroup per this post by K. Scott Allen (RIP)

Question

How can I move from individual user access in an Azure AD enterprise application to Group-based access?

Update: Auth code

Per request, providing the code I use to setup authentication.

IIRC, this is just the out of the box .NET Core setup for Azure. In Startup.cs

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options =>
    {
        Configuration.Bind("AzureAd", options);
    });

The AzureAd config section looks like:

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "(Redacted)",
    "TenantId": "(Redacted Guid)",
    "ClientId": "(Redacted Guid)",
    "CallbackPath": "/signin-oidc"
  }

COuld you please provide the code you use to configure auth? — Jim Xu, Sep 02 '20 at 04:48

score 1 · Answer 1 · answered Sep 02 '20 at 11:13

1

Are users direct members of the group that is assigned to the app?

They need to be, as AAD apps don't support nested groups as per https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps

Important

You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan. Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.

answered Sep 02 '20 at 11:13

Mickaël Derriey

12,796
1
53
57

Thanks for responding! Yes, I did see that guidance. Currently, the Azure AD security group I'm trying to authorize holds 6 users directly, and this is the group I'm trying give access to. When I authorize the group in the app registration, access fails for all the users. When I add access for individuals, it works as expected. – SeanKilleen Sep 02 '20 at 15:04
Is the group a security group? And does your Azure AD tenant have Premium licenses? – Mickaël Derriey Sep 03 '20 at 01:40
Yes and yes -- the group is a security group and we have an Azure AD Premium P2 license. – SeanKilleen Sep 03 '20 at 13:18
Hey! I'm curious to know whether you found an answer/solution to this? We're using group-based assignments for all our apps and never faced such an issue. Maybe try to create a new group? Or remove / add again the group to the enterprise app? – Mickaël Derriey Sep 07 '20 at 22:52
Still no solution; been waiting for a few more options here. Already removed & re-added the group. It does seem like a glitch. I may burn a support ticket on it to see if I'm doing something wrong somehow because I feel like I've ruled out everything else at this point. Will look into it tomorrow. – SeanKilleen Sep 08 '20 at 02:18