4,815 questions
Yes @john john , this is a valid approach to enabling policies. I came across this Nick Chapsas youtube video that does great job outlining how to implement authorization claims policies in a ASP.NET app.
ASP.NET Core 6.0 which uses Microsoft Identity Platform for authentication and Active Directory groups for authorization
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 90%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
john john
1,021
Reputation points
We are building an ASP.NET Core MVC web application for an organization. This organization has their users in Azure Office 365. We are planning to create a new ASP.NET Core MVC web application and define the authentication to use the Microsoft Identity Platform. Finally for the authorization, we are going to build Azure security groups and reference them inside our application.
We have this AD security group:
[
](https://i.stack.imgur.com/oSUJX.png)
and we reference it inside the program.cs as follows:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("admin-only", p =>
{ p.RequireClaim("groups", "4876872c-918e-4405-80b3-6fef38bbaa69"); });
options.FallbackPolicy = options.DefaultPolicy;
});
Inside the controller, we use this as follows:
[Authorize("admin-only")]
public IActionResult Privacy()
{
return View();
}
Is my approach valid?
Developer technologies ASP.NET ASP.NET Core
Microsoft Security Microsoft Entra Microsoft Entra ID
25,081 questions
Developer technologies ASP.NET Other
3,597 questions
{count} votes
-
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator2023-05-03T14:34:44.05+00:00 Hi @john john just circling back to see if the provided post helped resolve your issue. Let us know if you have any further questions on this topic so we can better assist you.
To benefit the broader community, please feel free to mark as answered.
Sign in to comment
1 answer
Sort by: Most helpful
-
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator
2023-04-26T16:33:03.72+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 97%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Jose Delgado 0 Reputation points2023-05-05T19:54:11.63+00:00 Hi Ryan,
I am trying to implement Authorization using Windows Authentication and Active Directory as well. How would I authorize a group in Active Directory without the SID? I would like to authorize the user using:
[Authorize(Roles = @"DOMAIN\Group_Name")]Is this at all possible with out of the box functionality?
-
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator
2023-05-11T17:38:17.8233333+00:00 I would try using the
IdentityRoleservice. For Azure AD, these should be correlated to App Role Assignments; e.g. running https://graph.microsoft.com/v1.0/{user-id}/appRoleAssignments/ in Graph Explorer. You "should" be able to use theresourceDisplayNameas the role, but I haven't tested that.To keep things nice and tidy, I would definitely use a policy of roles and then decorate the method with
[Authorize(Policy = "mypolicy")].
Sign in to comment -