We have an ASP.NET Core MVC application and want to migrate from on-premise Active Directory to Microsoft Entra ID. Authentication works without any issues, but Authorization does not.
Currently, we use [Authorize(Roles = "GroupX")] or HttpContext.User.IsInRole("GroupX") to check if a user is in a certain group. These groups are security groups in Entra ID.
I replaced
builder.Services
.AddAuthentication(IISDefaults.AuthenticationScheme)
with
builder.Services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration)
But the user gets redirected to /Account/AccessDenied even when they are assigned to the group.
I also noticed that HttpContext.User.Claims is missing all the roles/groups.
I discovered these Examples which helped a lot.
We solved our issue by using App Roles and combining them with security groups in Microsoft Entra.
Then, in our Program.cs we replaced
builder.Services
.AddAuthentication(IISDefaults.AuthenticationScheme)
with
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
builder.Services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration);
builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});