问题
I am authenticating users of my web api against Azure Active Directory. Now I want to get a list of groups that this user belongs.
I changed application manifest to include
"groupMembershipClaims": "All",
but all this does is to add claim hasGroups but no group names.
I granted all (8) Delegated Permissions to Windows Azure Active Directory for my app in the portal.
回答1:
I've done exactly this.
Let's call my Azure AD appication "AD-App".
AD-App
Permissions to other applications is set to;
Windows Azure Active Directory.
Application Permissions: 0.
Delegated Permissions 2 ("Read directory data", "Sign in and read user profile".
Manifest has the following setting:
"groupMembershipClaims": "SecurityGroup"
Backend API
The following is my method to return the users groups. Either you send in the users id, if not it uses the id from claims. Id meaning "objectIdentifier".
public static IEnumerable<string> GetGroupMembershipsByObjectId(string id = null)
{
if (string.IsNullOrEmpty(id))
id = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
IList<string> groupMembership = new List<string>();
try
{
ActiveDirectoryClient activeDirectoryClient = ActiveDirectoryClient;
IUser user = activeDirectoryClient.Users.Where(u => u.ObjectId == id).ExecuteSingleAsync().Result;
var userFetcher = (IUserFetcher)user;
IPagedCollection<IDirectoryObject> pagedCollection = userFetcher.MemberOf.ExecuteAsync().Result;
do
{
List<IDirectoryObject> directoryObjects = pagedCollection.CurrentPage.ToList();
foreach (IDirectoryObject directoryObject in directoryObjects)
{
if (directoryObject is Group)
{
var group = directoryObject as Group;
groupMembership.Add(group.DisplayName);
}
}
pagedCollection = pagedCollection.GetNextPageAsync().Result;
} while (pagedCollection != null);
}
catch (Exception e)
{
ExceptionHandler.HandleException(e);
throw e;
}
return groupMembership;
}
I can't tell you wether this is done by best practice or not, but it works for me.
回答2:
If a user has more than 150 groups, only the link to Graph API in a calim like "graph:link" is returned and not the groups. It is done for performance reasons. You then need to call Graph API (MS Graph API - newest, or AD Graph API - older) to iterated through all groups.
回答3:
Here is what we did in a project:
Sign in to https://portal.azure.com and click on Azure Active Directory -> App registrations -> <YOUR_APP> -> Manifest and set groupMembershipClaims to 7. You can read more about this here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-manifest
You can then access the user groups like this:
[Route("api/[controller]")]
[ApiController]
public class CurrentUserController : ControllerBase
{
[HttpGet("groups")]
[ProducesResponseType(typeof(IEnumerable<ClaimsViewModel>), (int)HttpStatusCode.OK)]
public IActionResult Groups()
{
return Ok(User.Claims.Where(claim => claim.Type == "groups").Select(c => new ClaimsViewModel() { Type = c.Type, Value = c.Value }));
}
}
public class ClaimsViewModel
{
public string Type { get; set; }
public string Value { get; set; }
}
Sample respons with fake Object IDs:
[{"type":"groups","value":"12fef9e0-4b73-425d-91b7-30c027aa4945"},{"type":"groups","value":"12fef9e0-4b73-425d-91b7-30c027aa4946"},{"type":"groups","value":"12fef9e0-4b73-425d-91b7-30c027aa4947"},{"type":"groups","value":"12fef9e0-4b73-425d-91b7-30c027aa4948"},{"type":"groups","value":"12fef9e0-4b73-425d-91b7-30c027aa4949"}]
Given these IDs you can then identify the groups in AD.
回答4:
What permissions did you grant to your app? You need to explicitly request the ability to read groups (see group.read.all in https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes). As of today, those permissions can only be consented by an administrator.
来源:https://stackoverflow.com/questions/35343369/get-a-list-of-groups-that-azure-ad-user-belongs-to-in-claims