如何确定用户是天蓝色活动目录中成员的组 [英] how to determine which group a user is a member of in azure active directory
问题描述
我正在使用azure活动目录来控制用户对我的Web应用程序的访问.这一切都很好,但是我无法弄清楚如何识别当前登录用户所属的组.在ClaimsIdentity中,我可以看到天蓝色的两个组的设置,但是我无法确定用户是其中一个组的成员(它们将仅属于2个组中的1个).我有此代码,并且在我的web.config中还有一个密钥与我的管理员用户的密钥相匹配,但是我的两个组都在Claimsidentity对象中.那么如何确定该用户是否在我的管理员组中?
I'm using azure active directory to control user access to my web app. This all works well, but I cant figure out how to identify which group the currently logged in user is a member of. In ClaimsIdentity I can see both groups setup in azure, but I cant determine which one of these groups the user is a member of (they will only belong to 1 of 2 groups). I have this code and also a key in my web.config that matches the key of my admin user, but both of my groups are in the claimsidentity object. So how can I determine if this user is in my admin group ?
var groups = identity.Claims.Where(x => x.Type.Equals("groups")).ToList();
//this is a GUID that should match the group objectID for Adminusers in the azure active directory
string admin = Helpers.Settings.AdminUser;
if (groups.Any(c => c.Value.Contains(admin)))
{
return true;
}
else
{
return false;
}
我一定是走错路了,有人帮我吗?
I must be going about this the wrong way, anyone help me out ?
推荐答案
It seems you have enabled Group Claims to check a user’s membership in a specific security group (or groups).
网上论坛声明将返回当前用户所属的网上论坛和DirectoryRoles的集合.例如,如果用户是您AAD中的全局管理员,并且属于一个组.使用组声明,您将获得两个记录(1个组和1个目录角色).
The group claims will return a collection of the Groups and DirectoryRoles that current user is a member of . For example , if user is a global administrator in your AAD , and belongs to one group . With group claims you will get two records(1 groups and 1 directory role) .
如果要获取用户具有直接或传递成员资格的所有组(没有DirectoryRoles),我们可以致电
If you to want to get all of the groups(no DirectoryRoles) that the user has direct or transitive membership in , we could call the getMemberGroups function using Azure AD Graph API .
在您的情况下,要检查用户是否在管理员组中,可以检查groups Claim中是否存在管理员组的对象ID.如果存在,则该用户属于管理员组.
In your scenario , to check whether user is in your admin group , you can check whether object ID of admin group exists in groups claim . If exists ,the user belongs to admin group .
这篇关于如何确定用户是天蓝色活动目录中成员的组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
