Role-based access control (RBAC) allows users or groups to have specific permissions to access and manage resources. Typically, implementing RBAC to protect a resource includes protecting either a web application, a single-page application (SPA), or an API. This protection could be for the entire application or API, specific areas and features, or API methods. For more information about the basics of authorization, see Authorization basics.
Groups – using group assignments of an incoming identity using logic within the application to interpret the group assignments.
Custom Data Store – retrieve and interpret role assignments using logic within the application.
The preferred approach is to use App Roles as it is the easiest to implement. This approach is supported directly by the SDKs that are used in building apps utilizing the Microsoft identity platform. For more information on how to choose an approach, see Choose an approach.
Define app roles
The first step for implementing RBAC for an application is to define the app roles for it and assign users or groups to it. This process is outlined in How to: Add app roles to your application and receive them in the token. After defining the app roles and assigning users or groups to them, access the role assignments in the tokens coming into the application and act on them accordingly.
Implement RBAC in ASP.NET Core
ASP.NET Core supports adding RBAC to an ASP.NET Core web application or web API. Adding RBAC allows for easy implementation by using role checks with the ASP.NET Core Authorize attribute. It's also possible to use ASP.NET Core’s support for policy-based role checks.
ASP.NET Core MVC web application
Implementing RBAC in an ASP.NET Core MVC web application is straightforward. It mainly involves using the Authorize attribute to specify which roles should be allowed to access specific controllers or actions in the controllers. Follow these steps to implement RBAC in an ASP.NET Core MVC application:
Create an application registration with app roles and assignments as outlined in Define app roles above.
Do one of the following steps:
Create a new ASP.NET Core MVC web application project using the dotnet cli. Specify the --auth flag with either SingleOrg for single tenant authentication or MultiOrg for multi-tenant authentication, the --client-id flag with the client if from the application registration, and the --tenant-id flag with the tenant if from the Microsoft Entra tenant:
Bash
dotnet new mvc --auth SingleOrg --client-id <YOUR-APPLICATION-CLIENT-ID> --tenant-id <TENANT-ID>
Add the Microsoft.Identity.Web and Microsoft.Identity.Web.UI libraries to an existing ASP.NET Core MVC project:
Add role checks on the controller actions as outlined in Adding role checks.
Test the application by trying to access one of the protected MVC routes.
ASP.NET Core web API
Implementing RBAC in an ASP.NET Core web API mainly involves utilizing the Authorize attribute to specify which roles should be allowed to access specific controllers or actions in the controllers. Follow these steps to implement RBAC in the ASP.NET Core web API:
Create an application registration with app roles and assignments as outlined in Define app roles above.
Do one of the following steps:
Create a new ASP.NET Core MVC web API project using the dotnet cli. Specify the --auth flag with either SingleOrg for single tenant authentication or MultiOrg for multi-tenant authentication, the --client-id flag with the client if from the application registration, and the --tenant-id flag with the tenant if from the Microsoft Entra tenant:
Bash
dotnet new webapi --auth SingleOrg --client-id <YOUR-APPLICATION-CLIENT-ID> --tenant-id <TENANT-ID>
Add the Microsoft.Identity.Web and Swashbuckle.AspNetCore libraries to an existing ASP.NET Core web API project: