I have an Azure Web App which I've setup App Service authentication (current tenant access). I'd like to dynamically display different portions of the application based on assigned groups of the user.
My intention is to grab either the object ID or UID of the authenticated user, check their groups via MSGraph, and do different things based on their groups. I know theoretically how to accomplish all of this minus the first step - is it possible to pass data from Azure's built-in web app authentication methods to my application?
The alternative I am thinking of is to deactivate App Service authentication and leverage MSGraph within the application itself to authenticate users, which would then allow me to grab the user's groups, which I don't want to do unless I have to.
I think this document contains what you want.
Just a brief explanation. We need to integrate Microsoft.Identity.Web.MicrosoftGraph and Microsoft.Identity.Web package into the application. Then adding authentication scheme code like this into Program.cs.
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(Configuration.GetSection("Graph"))
.AddInMemoryTokenCaches();
Then we can use Graph SDK to call Ms graph api to query the information. The authentication is done by app service itself, so we need to configure it to pass authentication information to the Azure AD app. It requires to use Azure Resource Explorer and follow these steps.
If the application and app service is fully managed by yourself, I think it's also a good option to contain the authentication module into the application and use RBAC.