This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 90%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
We are building an ASP.NET Core MVC web application for an organization. This organization has their users in Azure Office 365. We are planning to create a new ASP.NET Core MVC web application and define the authentication to use the Microsoft Identity Platform. Finally for the authorization, we are going to build Azure security groups and reference them inside our application.
We have this AD security group:
[
](https://i.stack.imgur.com/oSUJX.png)
and we reference it inside the program.cs as follows:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("admin-only", p =>
{ p.RequireClaim("groups", "4876872c-918e-4405-80b3-6fef38bbaa69"); });
options.FallbackPolicy = options.DefaultPolicy;
});
Inside the controller, we use this as follows:
[Authorize("admin-only")]
public IActionResult Privacy()
{
return View();
}
Is my approach valid?
Hi @john john just circling back to see if the provided post helped resolve your issue. Let us know if you have any further questions on this topic so we can better assist you.
To benefit the broader community, please feel free to mark as answered.
Yes @john john , this is a valid approach to enabling policies. I came across this Nick Chapsas youtube video that does great job outlining how to implement authorization claims policies in a ASP.NET app.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 97%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Hi Ryan,
I am trying to implement Authorization using Windows Authentication and Active Directory as well. How would I authorize a group in Active Directory without the SID? I would like to authorize the user using:
[Authorize(Roles = @"DOMAIN\Group_Name")]
Is this at all possible with out of the box functionality?
I would try using the IdentityRole service. For Azure AD, these should be correlated to App Role Assignments; e.g. running https://graph.microsoft.com/v1.0/{user-id}/appRoleAssignments/ in Graph Explorer. You "should" be able to use the resourceDisplayName as the role, but I haven't tested that.
To keep things nice and tidy, I would definitely use a policy of roles and then decorate the method with [Authorize(Policy = "mypolicy")].