Did you remember the options of the bellow image? In this image, we need to check the "Read directory data" if we want to read the AD information of the users like profile, role, groups etc. from the Azure AD.
Updating the Application Manifest File with the Azure AD tenant
If you want to read the groups of the user, you need to modify the manifest of the app in Azure AD. To update the manifest file select, Azure Active Directory>App registrations>find and select your app (say, HR.AzureAuthentication.HelloWorld)>Click on the manifest from the top action bar and Change "groupMembershipClaims": null to “groupMembershipClaims": "SecurityGroup".
If you choose “SecurityGroup” then you will get all of the group lists of the users. If you choose “All” then you will get the security groups and distribution lists. Anyway, finally click on the save button.
Getting the Object ID of the Group from Azure AD and Update Appsettings File
If you want to implement role based authorization then you need the object Id of that group from Azure AD for adding it in the appsettings file. If you add all of the configurations values into the appsettings file then it is easy to modify the values. To get the Object ID of the group, Select, Azure Active Directory>Groups>search your required group>Properties.
Now copy the Object ID from the General Setting page and past it into the appsettings.json file of your project.
Setting up Azure AD Authorization in Startup
You need to add the below codes into ConfigureServices method of the Startup file. In this project, say, we have two types of roles (admin and user). That's why we are adding Admins and Users groups.
services.AddAuthorization(options => {
options.AddPolicy("Admins", policyBuilder => policyBuilder.RequireClaim("groups", Configuration.GetValue < string > ("AzureSecurityGroup:AdminObjectId")));
});
services.AddAuthorization(options => {
options.AddPolicy("Users", policyBuilder => policyBuilder.RequireClaim("groups", Configuration.GetValue < string > ("AzureSecurityGroup:UserObjectId")));
});
Applying Policy on the Controllers or Actions
Add the [Authorize(Policy = "Users")] or [Authorize(Policy = "Admins")] attributes on the top of the controllers or actions according to your requirements.
Testing Claims for Role-based Authorization
You can check the group list which are coming from the Azure AD after successful login. Use the below codes to do that.