Search code examples
c#azureasp.net-web-apirbacadal

Retrieve a user group membership from Azure AD for RBAC

I have created a test application in WPF (Native Client). This client is authenticating with Azure through the ADAL library, and I am successful in acquire a Token after login. What I would like to do is to get a list of the groups that the user is a member of, so that I can use this group as an access control for accessing data.

So far:

  • Successfully setup my native client with Azure, and sat its "Windows Azure Active Directory" delegate permission to "Read directory data" and "Enable sign-on and read users' profiles". permission to other application screenshot

  • Acquire a token after login

  • Read users' profile info
  • Created a list of users and groups and added them to their respective group in Azure AD.

When I try to query the Azure GRAPH with the following setup

private async void ReadUserRoles(object sender, RoutedEventArgs e)
        {
            var result = authContext.AcquireToken(resource, clientID, redirectUri);
            var httpClient = new HttpClient();
            httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
            var userID = result.UserInfo.UniqueId;
            var url = string.Format("{0}{1}/users/{2}/memberOf?api-version=2013-04-05", "https://graph.windows.net/", tenantID, userID);
            var msg = await httpClient.GetAsync(url);

            var userRoles = await msg.Content.ReadAsStringAsync();
            MessageBox.Show(userRoles);
        }

GRAPH query is taken from: http://msdn.microsoft.com/en-us/library/azure/jj126255.aspx But then I get an unauthorized error. The user I am logged in with is "Global Administrator" in Azure. The complete error message is: 

{"odata.error":{"code":"Authentication_MissingOrMalformed",
"message":{"lang":"en","value":"Access Token missing or malformed."},"values":null}}

My main goal is to setup an application where data is accessed based on the users' membership in AD with a WPF client.

Solution

  • you no longer need to query the graph for getting group info, we have a new feature that will deliver those in the token. See http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

    link no long works, however this link might help