How can I get roles from AD with MVC Azure AD Authentication?

Question

I setup and MVC 4 application and added authentication against our Azure AD server as outlined here: http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx

A

Answer 1

Sean answer is a bit outdated. You can now configure Azure AD so it will include groups or roles inside JWT token so it will be included into ClaimsPrincipal.Current.Claims so standard [Authorize(Roles = "yourRoleName")] attribute will work.

Here is introduction post. Which basically says you have two options:

1. Use groups claim - you need to change groupMembershipClaims value in app manifest and later in application you can check for ClaimsPrincipal.Current.FindFirst("groups").Value to see in what group user is (you only get group id). You can write you own Authorize attribute that use this. more info

2. Define roles for you application and then use normal code for testing if user is in role:

   [PrincipalPermission(SecurityAction.Demand, Role = “yourRoleName”)]

   [Authorize(Roles = “yourRoleName”)]

   if (ClaimsPrincipal.Current.IsInRole(“yourRoleName”)) { //do something }

   You need to edit roles in you app's manifest. More info here and here. Values needed to be set in manifest are described here

What is really strange is that you can't assign more than one role to group from Azure web page. You need to use azure graph api for this.

If you can't see Users and Groups tab in Azure portal you probably need Azure AD Basic or Premium edition. If you are working on free azure subscription you can use free Azure AD Premium trial to test stuff.