Authorize by Group in Azure Active Directory B2C

Authorize By Group in Azure Active Directory B2C

This will work, however you have to write a couple of lines of code in your authentication logic in order to achieve what you're looking for.

First of all, you have to distinguish between Roles and Groups in Azure AD (B2C).

User Role is very specific and only valid within Azure AD (B2C) itself. The Role defines what permissions a user does have inside Azure AD .

Group (or Security Group) defines user group membership, which can be exposed to the external applications. The external applications can model Role based access control on top of Security Groups. Yes, I know it may sound a bit confusing, but that's what it is.

So, your first step is to model your Groups in Azure AD B2C - you have to create the groups and manually assign users to those groups. You can do that in the Azure Portal (https://portal.azure.com/):

illustartion of azure portal

Then, back to your application, you will have to code a bit and ask the Azure AD B2C Graph API for users memberships once the user is successfully authenticated. You can use this sample to get inspired on how to get users group memberships. It is best to execute this code in one of the OpenID Notifications (i.e. SecurityTokenValidated) and add users role to the ClaimsPrincipal.

Once you change the ClaimsPrincipal to have Azure AD Security Groups and "Role Claim" values, you will be able to use the Authrize attribute with Roles feature. This is really 5-6 lines of code.

Finally, you can give your vote for the feature here in order to get group membership claim without having to query Graph API for that.

Grouping and searching the users in Azure B2C

Even though out-of-the-box AAD B2C does not expose functionality related to managing Security Groups, the following approach could be considered:

  1. use regular AAD portal blade to create groups

  2. assign users to groups via Azure AD B2C

Another option would be to introduce department as custom attribute of User entity:

  1. via Azure AD B2C create a custom attribute or via API: create a extensionProperty endpoint
  2. update user to save a department claim:

Example:

PATCH https://graph.microsoft.com/v1.0/users/{id-or-upn}
Content-type: application/json

{
  "extension_{b2c-extensions-app-id}_Department": "--department name goes here--"
}

where extension_{b2c-extensions-app-id}_Department corresponds to department custom attribute named by using the convention application (client) ID of the b2c-extensions-app without the dashes


  1. and finally retrieve user properties along with department: GET https://graph.microsoft.com/v1.0/users?$select=extension_{b2c-extensions-app-id}_Department

Azure B2C Authentication & Authorization for Multiple Web Apps

Under Features not applicable in Azure AD B2C tenants Application roles are Not currently available for Azure AD B2C.

As B2C is used for consumer accounts or identities, they sign-up to create the accounts,and Administrator should not be able to add their accounts to the app assigning the roles to their identities.in such cases you can make use of standard Azure AD .

However we can make use of custom claims in B2C where the consumer selects required role while sign up.

So that required role has to go through authorization process.For that app must be configured with roles.

For example in .net, you can configure extension role for particular controller actions for the users.For example, create a custom attribute named AADRole. Assign a value(which means its role access to certain apps)to different users and then get the claim from id token after B2C users sign in.

services.AddAuthorization(options =>
{
      options.AddPolicy("Admin", policy =>
         policy.RequireClaim("extension_Role", "Admin"));
});

by using authorize attribute

[Authorize(Policy = "Admin")]

References :

  1. using-custom-claims-for-azure-ad-b2c-roles
  2. SO reference

How can I use Custom Roles on Azure Ad B2C?

Am working toward the same goal , so here is what I found until this moment:

  • Use Custom Policies with Identity Esperience Framework (IEF) : Here is an example of custom policies on RBAC example :
  • Manually call the Graph API ( using msal library ) with the objectId of the connected user and an access token in order to get the groups to which the user belong : In this case you will create a group for each role , affect the users to the right groups based on their role, by finding the users group , u know what's his role , here is an example of implementing this kind of authorization on .Net5 web api and web App.

Didn' find anything related to managing users access with roles , so if you found any , do not hesitate to share . Thanks


Related Topics

Token Based Authentication in ASP.NET Core

How to Edit CSS Style of a Div Using C# in .Net

Cancellation Token in Task Constructor: Why

Casting a Result to Float in Method Returning Float Changes Result

Xdocument Containing Namespaces

Ignore Mapping One Property with Automapper

How to Sort Strings Alphabetically While Accounting for Value When a String Is Numeric

Has Foreach's Use of Variables Been Changed in C# 5

When Is It Appropriate to Use C# Partial Classes

Does Xaml Have a Conditional Compiler Directive for Debug Mode

Benchmarking Small Code Samples in C#, Can This Implementation Be Improved

Adding Stylesheets Programmatically in ASP.NET

Joining Two Lists Together

Authorize by Group in Azure Active Directory B2C

Deserializing Dates with Dd/Mm/Yyyy Format Using JSON.Net

Comparing Two Strings, Ignoring Case in C#

C# Export Private/Public Rsa Key from Rsacryptoserviceprovider to Pem String

What Is Shadowing


Leave a reply



Submit