How to protect Azure Function Endpoints with custom roles and permission?

Question

I need a starting point to solve the following problem:

Assume there is a model with different entities (e.g. school classes) and different roles that are connected to entities.

Now I want to check in my Azure Function if Bob has a role on this entity which entitles him to rate a student from the school class.

I think of a claim of the form:

TEACHER : [
 "class 2b" 
]

before.

Which Azure Resources do I need to map such a thing?

I already use Azure AZ for the ID token and my API is implemented in an Azure Function.

I would like to call Azure AD to get an access token which contains those roles and resources of my domain.

Hi have you looked into my answer? Any updates? – Allen Wu Dec 09 '20 at 06:50 — Allen Wu, Dec 09 '20 at 06:50

Allen Wu · Answer 1 · 2020-12-08T04:09:14.913

I'm afraid that this form is not supported by Azure AD.

The supported form should be "{claim name}": "{claim value}".

If you accept this form, you can refer to my previous answer.

What you need to modify is:

When you create the extensionProperty, you should name the extensionProperty as "TEACHER".

Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties

{"name":"TEACHER","dataType":"string","targetObjects":["User"]}

And update the extension property for your account:

Patch https://graph.microsoft.com/v1.0/me

{"extension_6d8190fbf1fe4bc38a5a145520221989_TEACHER":"class 2b"}

Then you can get the custom claim as "TEACHER": "class 2b".

How to protect Azure Function Endpoints with custom roles and permission?

1 Answers1