How to check if a user belongs to an AD group?
Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement
(S.DS.AM) namespace. Read all about it here:
- Managing Directory Security Principals in the .NET Framework 3.5
- MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAINNAME");
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");
// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");
if(user != null)
{
// check if user is member of that group
if (user.IsMemberOf(group))
{
// do something.....
}
}
The new S.DS.AM makes it really easy to play around with users and groups in AD!
Active directory check if user belongs to a group
You can get the list of groups a user is a member of by querying the memberOf
navigation property on the user object.
Read about it here.
https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version
Note that you can remove the $links
part of the query to return the whole group object, rather than the link to the object. However, for simply validating a user is a member of a certain group, you can use the links, and compare the object id of the groups that are returned to the one you are looking for.
How to check if a user is in an AD group via Azure AD?
1. Getting Group Membership Claims as part of Token
You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims"
property to "All"
or "SecurityGroup"
as needed.
2. Group Ids are returned as part of Claims
Once application manifest is updated as mentioned above, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token
3. Limit on the number of groups that can be returned as part of token
To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.
4. Relevant Microsoft Graph APIs
NOTE: Working with Microsoft Graph APIs can be pretty powerful, since you can get around overage scenarios as well as get all other kinds of information about groups if needed (like name). In this particular case, since intent is to validate group membership, group Id is the best field as it will not change while others like name can.
Check member groups
This one will be helpful if you already know the groups that you want to check/validate membership in.
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/checkMemberGroups
In request body, you can provide groupdIds
, i.e. a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.
{
"groupIds": [
"fee2c45b-915a-4a64b130f4eb9e75525e",
"4fe90ae065a-478b9400e0a0e1cbd540"
]
}
user: getMemberGroups
This one will be helpful if you don't already know the group and want to get all the groups that this user belongs to.
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups
Here is another related SO Post
Related Topics
Error: "The Node to Be Inserted Is from a Different Document Context"
Async/Await - Is It *Concurrent*
Detecting Client Death in Wcf Duplex Contracts
Why Are Tolookup and Groupby Different
Get All Properties Which Marked Certain Attribute
Allow Access Permission to Write in Program Files of Windows 7
Should I Bind to Icollectionview or Observablecollection
How to Setup Multiple Auth Schemes in ASP.NET Core 2.0
The Requested Resource Does Not Support Http Method 'Get'
How to Deploy a .Net Application That Uses Odac Without Installing the Whole Component to the User
Getting Content/Message from Httpresponsemessage
Recommend a C# Task Scheduling Library
How to Update an Existing Windows Phone 8 App to Windows Phone Store 8.1
Restoring Window Size/Position with Multiple Monitors
How to Write a Unit Test to Determine Whether an Object Can Be Garbage Collected
In .Net 4.0, How to 'Sandbox' an In-Memory Assembly and Execute a Method
Why Is There a Difference in Checking Null Against a Value in Vb.Net and C#