Search code examples
azureasp.net-coreazure-active-directoryazure-ad-msal

Add Azure Active Directory Groups to Claims

We are migrating an application which consists of an Angular Frontend and a ASP.NET Core 2.1 Web Api Backend running on .NET Framework 4.6.2 from on premises to Azure.

The application uses Active Directory Groups for authorization purposes.

To facilitate the migration process we would like to use the same groups which are synchronized to Azure Active Directory.

Authentication works fine but when i inspect the claims in the User Object within a Web Api Controller i can't find any group claims in it.

The only group-related claim i see in the User Object is one named "hasGroups" with the value true, but i need to know which groups the user is part of.

I know i can query AD via Graph API but i would prefer a seamless way if the service can provide this info directly.

Update: I use MSAL 1.0 and implicit flow in my Angular Frontend to authenticate the user and gain an access token to authenticate the calls to the Web Api.

Update 2: This is the configuration of the backend api:

  • I applied the following configuration in the "Token configuration" page

token configuration

  • I created a client secret in the "Certificates & secrets" page client secret

  • i created a scope in the "Expose an API" tab and added the client application to it expose an api page

  • i added API permissions api permissions

In the frontend app i activated the options for "access tokens" and "ID tokens" in the Authentication page: Authentication options in frontend app and i configured the redirect url on the same page redirect url

Update 3: I upgraded the backend to .net 5 and can still reproduce the problem (no roles in claims collection).

Solution

  • It seems to me, that the main problem was, that the user i tried to log in is part of more than 5 groups. In this case, the groups are not added to the claims but instead i only get the mentioned "hasGroups" entry. This limitation applies only when Implicit flow is used.

    This StackOverflow issue pointed me into this direction.

    So for cases where your users could have more than 5 AD groups, you will have to query the groups manually using MS Graph or find another place to store your groups.