How to Check If a User Belongs to an Ad Group

How to check if a user belongs to an AD group?

Since you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:

• Managing Directory Security Principals in the .NET Framework 3.5
• MSDN docs on System.DirectoryServices.AccountManagement

Basically, you can define a domain context and easily find users and/or groups in AD:

// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DOMAINNAME");

// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

// find the group in question
GroupPrincipal group = GroupPrincipal.FindByIdentity(ctx, "YourGroupNameHere");

if(user != null)
{
   // check if user is member of that group
   if (user.IsMemberOf(group))
   {
     // do something.....
   } 
}

The new S.DS.AM makes it really easy to play around with users and groups in AD!

Active directory check if user belongs to a group

You can get the list of groups a user is a member of by querying the memberOf navigation property on the user object.

Read about it here.

https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

Note that you can remove the $links part of the query to return the whole group object, rather than the link to the object. However, for simply validating a user is a member of a certain group, you can use the links, and compare the object id of the groups that are returned to the one you are looking for.

How to check if a user is in an AD group via Azure AD?

1. Getting Group Membership Claims as part of Token

You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims" property to "All" or "SecurityGroup" as needed.

2. Group Ids are returned as part of Claims

Once application manifest is updated as mentioned above, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token

3. Limit on the number of groups that can be returned as part of token

To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.

4. Relevant Microsoft Graph APIs

NOTE: Working with Microsoft Graph APIs can be pretty powerful, since you can get around overage scenarios as well as get all other kinds of information about groups if needed (like name). In this particular case, since intent is to validate group membership, group Id is the best field as it will not change while others like name can.

Check member groups

This one will be helpful if you already know the groups that you want to check/validate membership in.

 POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/checkMemberGroups 

In request body, you can provide groupdIds, i.e. a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.

     {
      "groupIds": [
           "fee2c45b-915a-4a64b130f4eb9e75525e",
           "4fe90ae065a-478b9400e0a0e1cbd540"
       ]
     }

user: getMemberGroups

This one will be helpful if you don't already know the group and want to get all the groups that this user belongs to.

POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups

Here is another related SO Post

---

Related Topics