问题
I have created a new asp.net MVC core web application and i set it to use Work or School Accounts with multiple organization, as follow:-
now if i add [Authorize] attribute to an action method then the user will be asked to login first. but my question is how i can only allow certain users to access the action method?
Second question, is how i can prevent users from logging to the application unless they are inside a predefined list?
回答1:
You have to add the Roles in authorize attribute. For example, you can define Roles like Admin, User, Guest in your application, and add authorize attribute like this [Authorize(Roles = "Admin")].
Now only admin will be able to access this resource after authentication and the user or guest will not be able to get past this step.
you can follow this link for more guidance. You can also use claims and policies for authorization.
回答2:
To restrict users/groups to access your application , you can try below solutions :
Restrict users/groups using Azure AD :
As my previous reply , you can always find the service principle by client id after consent/register the application in tenant . You can use the users/groups assignment feature :
- Sign in to the Azure portal with an administrator account or as an owner of the application. 
- Select - Azure Active Directory. In the left navigation menu, select- Enterprise applications.
- Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select Apply. 
- In the left navigation menu, select - Properties.
- Make sure the - User assignment required?toggle is set to Yes.
Then only assigned users/groups could access the application . You can assign users or groups to an app via the Azure portal or Powershell.
Restrict users/groups within application :
Method 1 : Groups Claims
You can use groups claims in Azure AD ,  config the your application in azure portal to receive group claims by editing the manifest :
{
  ...
  "errorUrl": null,
  "groupMembershipClaims": "SecurityGroup",
  ...
}
ID token issued from Azure AD will include the current user's groups id list in groups claim , then in asp.net core application , you can restrict the access by :
services.AddControllersWithViews(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
            .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    });
Note : From document :
If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then the Microsoft Identity Platform does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.
Method 2 : Application roles
You can add app roles in your application , assign roles to users/groups , so that roles will include in token after user login and consent , your application could use policy to restrict access based on roles claim .
来源:https://stackoverflow.com/questions/61646582/how-i-can-restrict-the-authorize-attribute-to-certain-users-only-inside-my-asp