Use group claims in for easy authorization in Azure Active Directory

Azure Active Directory application manifest by default do not populate claims pertaining to user group membership to save on network traffic and possible group bloat. In a lot of cases it’s not a major concern for well managed Azure Active Directory environment.

Enabling groupClaims along with other claims greatly simplify Authorization which otherwise would require use of Microsoft graph for user authorization.

Example below is showing how to enable group claims in Azure Active Directory enabled application on example of Azure Function but can also be used for any other type of application.

To start create Azure function app

chrome_2017-10-12_13-12-26

Navigate to newly created function and choose “Authentication/Authorization” link.

chrome_2017-10-12_13-14-00

Enable App Service Authentication and choose Azure AD and settings below.

chrome_2017-10-12_13-16-02

Add new Function by pressing + sign choose “Custom Function” link

chrome_2017-10-12_13-18-20

Choose “HTTP Trigger – C#” type, name your function and choose Authorization level of “Function”

chrome_2017-10-12_13-19-55

Paste following code into function

Click on “Get Function URL” and paste resulting URL in new browser window with no cookies etc (Incognito mode in Chrome)

chrome_2017-10-12_13-21-53

Login with your AD account and resulting page will contain no group information since default claim set does not include group memberships.chrome_2017-10-12_13-24-44

Navigate to your Azure Active Directory/Application Registration pane and choose your application

chrome_2017-10-12_13-26-50

Click on “Manifest” on top verify that your groupMembershipClaim​ is set to default null

chrome_2017-10-12_13-28-03

Click “edit” and change it to one of 2 values: SecurityGroup or All

First one returns only security groups while setting of All returns both security groups as well Distribution Lists. (http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/)

Save the file and navigate in new incognito window to function URL and authenticate again. This time you shall be able to see GroupSIDs populated.

RemoteDesktopManager_2017-10-12_13-34-26

You can find SID to actual group mapping inside your Azure Active Directory.

chrome_2017-10-12_13-36-29.png

This setup allows you to perform Role based authorization without resorting to complicated steps of calling Graph API etc.

Advertisements