Authorize By Group in Azure Active Directory B2C
This will work, however you have to write a couple of lines of code in your authentication logic in order to achieve what you're looking for.
First of all, you have to distinguish between Roles
and Groups
in Azure AD (B2C).
User Role
is very specific and only valid within Azure AD (B2C) itself. The Role defines what permissions a user does have inside Azure AD .
Group
(or Security Group
) defines user group membership, which can be exposed to the external applications. The external applications can model Role based access control on top of Security Groups. Yes, I know it may sound a bit confusing, but that's what it is.
So, your first step is to model your Groups
in Azure AD B2C - you have to create the groups and manually assign users to those groups. You can do that in the Azure Portal (https://portal.azure.com/):
Then, back to your application, you will have to code a bit and ask the Azure AD B2C Graph API for users memberships once the user is successfully authenticated. You can use this sample to get inspired on how to get users group memberships. It is best to execute this code in one of the OpenID Notifications (i.e. SecurityTokenValidated) and add users role to the ClaimsPrincipal.
Once you change the ClaimsPrincipal to have Azure AD Security Groups and "Role Claim" values, you will be able to use the Authrize attribute with Roles feature. This is really 5-6 lines of code.
Finally, you can give your vote for the feature here in order to get group membership claim without having to query Graph API for that.
Grouping and searching the users in Azure B2C
Even though out-of-the-box AAD B2C does not expose functionality related to managing Security Groups, the following approach could be considered:
use regular AAD portal blade to create groups
assign users to groups via Azure AD B2C
Another option would be to introduce department
as custom attribute of User entity:
- via Azure AD B2C create a custom attribute or via API: create a
extensionProperty
endpoint - update user to save a department claim:
Example:
PATCH https://graph.microsoft.com/v1.0/users/{id-or-upn}
Content-type: application/json
{
"extension_{b2c-extensions-app-id}_Department": "--department name goes here--"
}
where extension_{b2c-extensions-app-id}_Department
corresponds to department custom attribute named by using the convention application (client) ID of the b2c-extensions-app
without the dashes
- and finally retrieve user properties along with department:
GET https://graph.microsoft.com/v1.0/users?$select=extension_{b2c-extensions-app-id}_Department
Azure B2C Authentication & Authorization for Multiple Web Apps
Under Features not applicable in Azure AD B2C tenants Application roles are Not currently available for Azure AD B2C.
As B2C is used for consumer accounts or identities, they sign-up to create the accounts,and Administrator should not be able to add their accounts to the app assigning the roles to their identities.in such cases you can make use of standard Azure AD .
However we can make use of custom claims in B2C where the consumer selects required role while sign up.
So that required role has to go through authorization process.For that app must be configured with roles.
For example in .net, you can configure extension role for particular controller actions for the users.For example, create a custom attribute named AADRole. Assign a value(which means its role access to certain apps)to different users and then get the claim from id token after B2C users sign in.
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy =>
policy.RequireClaim("extension_Role", "Admin"));
});
by using authorize attribute
[Authorize(Policy = "Admin")]
References :
- using-custom-claims-for-azure-ad-b2c-roles
- SO reference
How can I use Custom Roles on Azure Ad B2C?
Am working toward the same goal , so here is what I found until this moment:
- Use Custom Policies with Identity Esperience Framework (IEF) : Here is an example of custom policies on RBAC example :
- Manually call the Graph API ( using msal library ) with the objectId of the connected user and an access token in order to get the groups to which the user belong : In this case you will create a group for each role , affect the users to the right groups based on their role, by finding the users group , u know what's his role , here is an example of implementing this kind of authorization on .Net5 web api and web App.
Didn' find anything related to managing users access with roles , so if you found any , do not hesitate to share . Thanks
Related Topics
Token Based Authentication in ASP.NET Core
How to Edit CSS Style of a Div Using C# in .Net
Cancellation Token in Task Constructor: Why
Casting a Result to Float in Method Returning Float Changes Result
Xdocument Containing Namespaces
Ignore Mapping One Property with Automapper
How to Sort Strings Alphabetically While Accounting for Value When a String Is Numeric
Has Foreach's Use of Variables Been Changed in C# 5
When Is It Appropriate to Use C# Partial Classes
Does Xaml Have a Conditional Compiler Directive for Debug Mode
Benchmarking Small Code Samples in C#, Can This Implementation Be Improved
Adding Stylesheets Programmatically in ASP.NET
Authorize by Group in Azure Active Directory B2C
Deserializing Dates with Dd/Mm/Yyyy Format Using JSON.Net
Comparing Two Strings, Ignoring Case in C#
C# Export Private/Public Rsa Key from Rsacryptoserviceprovider to Pem String