发表新帖
发表新帖

How to check if a user is in an AD group via Azure AD?

前端 未结
关注
1 1391
你的背包
你的背包 2020-12-11 11:05

Setup Specifications

  • .NET 4.5.1 MVC Project
  • Project contains .aspx files (legacy)
  • Currently user Azure AD for authentication
相关标签:
1条回答
  • 野的像风
    2020-12-11 11:10

    1. Getting Group Membership Claims as part of Token

    You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims" property to "All" or "SecurityGroup" as needed.

    2. Group Ids are returned as part of Claims

    Once application manifest is updated as mentioned above, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token

    3. Limit on the number of groups that can be returned as part of token

    To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.

    4. Relevant Microsoft Graph APIs

    NOTE: Working with Microsoft Graph APIs can be pretty powerful, since you can get around overage scenarios as well as get all other kinds of information about groups if needed (like name). In this particular case, since intent is to validate group membership, group Id is the best field as it will not change while others like name can.

    Check member groups

    This one will be helpful if you already know the groups that you want to check/validate membership in.

     POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/checkMemberGroups

    In request body, you can provide groupdIds, i.e. a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.

         {
      "groupIds": [
           "fee2c45b-915a-4a64b130f4eb9e75525e",
           "4fe90ae065a-478b9400e0a0e1cbd540"
       ]
     }

    user: getMemberGroups

    This one will be helpful if you don't already know the group and want to get all the groups that this user belongs to.

    POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups

    Here is another related SO Post

    0 讨论(0)
 看不清?
提交回复
热议问题