DEVHIDE
Login Or Sign up

Provide role for user in Azure Active Directory

699 Views Asked by At

I am new to Azure integration with web app. Can I know is there any tutorial available to assign role to user that login with Azure AD? Such as UserManager.AddToRole(userId, "Admin") for a standard login. I need a full guide on how to assign role to user that login with Azure AD. Thanks!

PS: Im using ASP.NET with WebForm, not MVC.

asp.net azure azure-active-directory role-manager
Original Q&A
1

There are 1 best solutions below

0
On

First off, you need to figure out how you implement authorization in your application. Azure AD has 3 primary mechanisms. From: https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-app-roles/

Roles using Azure AD App Roles: The SaaS provider defines the application roles by adding them to the application manifest. After a customer signs up, an admin for the customer's AD directory assigns users to the roles. When a user signs in, the user's assigned roles are sent as claims.

If you pick this approach, you can POST to the Azure AD Graph's /appRoleAssignments to assign a group or user to an application role like so:

POST https://graph.windows.net/myorganization/servicePrincipals/{service_principal_object_id}/appRoleAssignedTo
Body
Content-Type: application/json
{
  "id":"{role_object_id}",
  "principalId":"{user/group_object_id}",
  "resourceId":"{service_principal_object_id}"
}

See this link for more info: https://msdn.microsoft.com/library/azure/ad/graph/api/entity-and-complex-type-reference#AppRoleAssignmentEntity

Roles using Azure AD security groups: In this approach, roles are represented as AD security groups. The application assigns permissions to users based on their security group memberships.

If you pick this approach, you can POST to the Azure AD Graph's /groups to assign a user to a group like so:

POST https://graph.windows.net/myorganization/groups/{group_object_id}/$links/members?api-version
Body
Content-Type: application/json
{
  "url": "https://graph.windows.net/myorganization/directoryObjects/{user_object_id}"
}

See this link for more info: https://msdn.microsoft.com/library/azure/ad/graph/api/groups-operations#AddGroupMembers

Roles using an application role manager: With this approach, application roles are not stored in Azure AD at all. Instead, the application stores the role assignments for each user in its own DB — for example, using the RoleManager class in ASP.NET Identity.

If you pick this approach, then you'd basically continue to use AddToRole.

Be sure to check out the first link I referenced for details on how to implement the first two approaches.

Related Questions in ASP.NET

Related Questions in AZURE

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in ROLE-MANAGER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.