Query Azure AD for searching users of security group from ASP.NET Classic Web Forms application

Sanjay Nipane 1 Reputation point


We have ASP.NET 4.7 Web Forms application in which we are implementing Azure AD authentication.

We have Search user feature also in the application, which actually queries the AD, searches for users from specific group and adds users to our application and then grants different roles.

Our organization's Cloud manager has advised that they will not give Directory.ReadAll permission to Application whereas it is ok to grant Directory.ReadAll permission in Delegated manner.

Please advise what shall be the best .NET library/Protocol which we can use for implementing Azure AD authentication and search user feature in our application.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,633 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. soumi-MSFT 11,601 Reputation points Microsoft Employee

    @Sanjay Nipane , In any case (application/delegated permission), when you give Directory.ReadAll permission it does require Admin consent for it to work. In case you are just trying to list users or list users from groups and want the users to consent while performing this activity then you would need to provide delegated permissions and you can refer to the following docs for the permissions:

    In all the three urls listed above you would find that the least permission required is either User.ReadBasic.All and for groups its Group.ReadAll. But here also, Group.ReadAll needs admin consent and only User.ReadBasic.All would work with user consent.

    Hence it all depends how your app performs the tasks and what type of OAuth flow you have chosen in your code and based on that you can apply the permissions.
    For eg: if the application is going to make the graph calls and fetch the user details, then it has to make a Client Credential Flow and use the Application Permissions [most Application Permissions require Admin Consent] and if the user would go ahead and make graph api call then you would need to choose Authorization Code Grant Flow and use the Delegated permissions.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    No comments