如何通过Azure AD检查用户是否在AD组中? [英] How to check if a user is in an AD group via Azure AD?

问题描述

设置规范

• .NET 4.5.1 MVC项目
• 项目包含.aspx文件(旧版)
• 当前用户为Azure Cookie，用于通过Cookie进行身份验证.
• Azure门户(通过应用程序注册)配置为隐式授予-ID令牌"和仅此组织目录中的帐户"
• 本地AD组被上推到Azure AD.

Startup.cs配置

// COOKIES: Tells it to use cookies for authentication.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    CookieManager = new SystemWebCookieManager()
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
    ClientId = ClientID,
    Authority = Authority,
    PostLogoutRedirectUri = PostLogoutRedirectUri,
    Notifications = new OpenIdConnectAuthenticationNotifications()
    {
        AuthenticationFailed = PrincipalService.OnAzureAuthenticationFailure,
        AuthorizationCodeReceived = (AuthorizationCodeReceivedNotification notification) =>
        {
            var username = notification.AuthenticationTicket.Identity.Name.Split('#').LastOrDefault();
            var emailAddress = notification.AuthenticationTicket.Identity.Claims.FirstOrDefault(x => x.Type.Contains("emailaddress"))?.Value;
            Logger.Log(Level.Auth, $"Azure login success! Username: '{username}' Email: '{emailAddress}'.");
            return Task.FromResult(0);
        }
    }
});

问题

在进行此设置后，如何检查当前登录的用户是否在特定的AD组中?

How can I, given this setup, check if the currently logged in user is in a particular AD Group?

我尝试过的事情

所有有关执行Microsoft Graph API的指南总会出现一个我不知道如何克服的问题(例如GetAccountsAsync返回空等).

All the guides on doing Microsoft Graph API always come up with a problem that I don't know how to get past (e.g. GetAccountsAsync returning empty, etc).

我在我们的应用注册清单中添加了以下内容:

I added the following to our app registration manifest:

"optionalClaims": {
    "idToken": [
        {
            "name": "email",
            "source": null,
            "essential": true,
            "additionalProperties": []
        },
        {
            "name": "groups",
            "source": null,
            "essential": true,
            "additionalProperties": []
        }
    ],
    "accessToken": [],
    "saml2Token": []
}

email可以正常工作，但是显然groups不能，因为它是在黑暗中拍摄的.

email works fine, but obviously groups doesn't as it was a shot in the dark.

推荐答案

1.将组成员资格声明作为令牌的一部分

通过编辑应用程序的清单(可以直接在Azure Portal中完成)并将"groupMembershipClaims"属性设置为"All"或"SecurityGroup"，可以启用组声明作为应用程序访问令牌的一部分.需要.

You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims" property to "All" or "SecurityGroup" as needed.

2.群组ID作为声明的一部分返回

如上所述，一旦更新了应用清单后，您就可以获取组ID.这是解码的JWT令牌的快速示例

Once application manifest is updated as mentioned above, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token

3.限制可以作为令牌的一部分返回的组的数量

为确保令牌大小不超过HTTP标头大小限制，Azure AD限制了它包含在组声明中的objectId的数量.如果用户属于超过超出限制的组的更多成员(SAML令牌为150，JWT令牌为200)，则Azure AD不会在令牌中发出组声明.相反，它在令牌中包含一个超额声明，该声明指示应用程序查询Graph API以检索用户的组成员身份.

To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.

4.相关的Microsoft Graph API

注意:使用Microsoft Graph API的功能可能非常强大，因为您可以解决过度使用的情况，并在需要时获得有关组的所有其他信息(例如名称).在这种情况下，由于目的是验证组成员身份，因此组ID是最好的字段，因为它不会更改，而其他类似名称的字段则可以更改.

NOTE: Working with Microsoft Graph APIs can be pretty powerful, since you can get around overage scenarios as well as get all other kinds of information about groups if needed (like name). In this particular case, since intent is to validate group membership, group Id is the best field as it will not change while others like name can.

检查成员组

Check member groups

如果您已经知道要检查/验证其成员身份的组，则此功能会有所帮助.

This one will be helpful if you already know the groups that you want to check/validate membership in.

 POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/checkMemberGroups 

在请求正文中，您可以提供groupdIds，即包含用于检查成员资格的组的对象ID的集合.最多可以指定20个组.

In request body, you can provide groupdIds, i.e. a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.

     {
      "groupIds": [
           "fee2c45b-915a-4a64b130f4eb9e75525e",
           "4fe90ae065a-478b9400e0a0e1cbd540"
       ]
     }

用户: getMemberGroups

如果您还不知道该组，并且想要获取该用户所属的所有组，则将很有帮助.

This one will be helpful if you don't already know the group and want to get all the groups that this user belongs to.

POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups

这是另一个 查看全文