Search code examples
azure.net-coreblazor-webassemblymicrosoft-entra-id

Limit users allowed with Entra and Accounts in any organizational account and personal Microsoft accounts

I have a web app where I want to allow members of my club to access the site but I don't want to be handling passwords / authorization, so I want to use Entra for auth.

I've registered the app in my directory and configured it to accept Accounts in any organizational account and personal accounts. I've also added a role to the app and assigned that role to my personal account so that I am the only admin user.

The problem I've got, is that it currently allows ANY user to access the site. Is there a way to limit the users who can access the site without having to invite every user to join my directory so that I can then add a role to them. I just want to be able to have the users make a request to me (could be going to a particular web page or WhatsApp me their e-mail address) and then I can give them access without going back and forth.

The only way I can think to do this would be to manually maintain a list of e-mail addresses in my app's database and on every page / resource request, check if the user's e-mail is in the list.

Is there a better way to achieve this?

My app is .Net8 running on Blazor (pure WebAssembly) and has a separate WebApi that has access to a database that provides all the data.

Solution

  • Note that: To add role to the user, the user must be added to the directory.

    • You can create group and add the users but even for that the users must be added to the directory.
    • You can configure your app to only allow access to users assigned to the application/role.
    • Set the "User assignment required" to "Yes" and select the group/users that should have access to the app.

    But for all the above, you need to add users to the directory.

    Hence there is no way to add role to the users without adding the users to the directory.

    Created an Azure AD security group and added guest user as member:

    enter image description here

    Assigned role:

    enter image description here

    For sample, generated access token:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:api://xxx/.default
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

    enter image description here

    When I decoded the token, the role is present for the user:

    enter image description here