如何通过 Azure AD 检查用户是否在 AD 组中? [英] How to check if a user is in an AD group via Azure AD?
问题描述
设置规范
- .NET 4.5.1 MVC 项目
- 项目包含 .aspx 文件(旧版)
- 目前使用 Azure AD 通过 Cookie 进行身份验证.
- 使用隐式授予 - ID 令牌"和仅限此组织目录中的帐户"配置 Azure 门户(通过应用注册)
- 本地 AD 组被推送到 Azure AD.
Startup.cs 配置
// COOKIES: Tells it to use cookies for authentication.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
CookieManager = new SystemWebCookieManager()
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
ClientId = ClientID,
Authority = Authority,
PostLogoutRedirectUri = PostLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = PrincipalService.OnAzureAuthenticationFailure,
AuthorizationCodeReceived = (AuthorizationCodeReceivedNotification notification) =>
{
var username = notification.AuthenticationTicket.Identity.Name.Split('#').LastOrDefault();
var emailAddress = notification.AuthenticationTicket.Identity.Claims.FirstOrDefault(x => x.Type.Contains("emailaddress"))?.Value;
Logger.Log(Level.Auth, $"Azure login success! Username: '{username}' Email: '{emailAddress}'.");
return Task.FromResult(0);
}
}
});
问题
在此设置下,我如何检查当前登录的用户是否在特定的 AD 组中?
How can I, given this setup, check if the currently logged in user is in a particular AD Group?
我的尝试
所有关于执行 Microsoft Graph API 的指南总是提出一个我不知道如何解决的问题(例如 GetAccountsAsync 返回空等).
All the guides on doing Microsoft Graph API always come up with a problem that I don't know how to get past (e.g. GetAccountsAsync returning empty, etc).
我在我们的应用注册清单中添加了以下内容:
I added the following to our app registration manifest:
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": true,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": true,
"additionalProperties": []
}
],
"accessToken": [],
"saml2Token": []
}
email 工作正常,但显然 groups 不能,因为它是在黑暗中拍摄的.
email works fine, but obviously groups doesn't as it was a shot in the dark.
推荐答案
1.获取组成员声明作为令牌的一部分
您可以通过编辑应用程序的清单(这可以直接在 Azure 门户中完成)并将 groupMembershipClaims" 属性设置为All" 或 SecurityGroup" 根据需要.
You can enable group claims to come in as part of the access token for your application by editing your application's manifest (this can be done directly in Azure Portal) and setting "groupMembershipClaims" property to "All" or "SecurityGroup" as needed.
<强>2.组 ID 作为声明的一部分返回
一旦应用程序清单按上述方式更新,您就可以获取组 ID 作为声明的一部分.这是解码的 JWT 令牌的快速示例
Once application manifest is updated as mentioned above, you can get Group Id's as part of claims. Here's a quick sample for a decoded JWT token
3.限制可以作为令牌的一部分返回的组数
为确保令牌大小不超过 HTTP 标头大小限制,Azure AD 限制了它包含在组声明中的 objectId 的数量.如果用户是超过超额限制(SAML 令牌为 150,JWT 令牌为 200)的组的成员,则 Azure AD 不会在令牌中发出组声明.相反,它在令牌中包含一个超额声明,指示应用程序查询 Graph API 以检索用户的组成员资格.
To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.
4.相关的 Microsoft Graph API
注意:使用 Microsoft Graph API 可能非常强大,因为您可以绕过超额情况以及在需要时获取有关组的所有其他类型的信息(如名称).在这种特殊情况下,由于目的是验证组成员身份,组 ID 是最佳字段,因为它不会更改,而其他名称(如 name)可以.
NOTE: Working with Microsoft Graph APIs can be pretty powerful, since you can get around overage scenarios as well as get all other kinds of information about groups if needed (like name). In this particular case, since intent is to validate group membership, group Id is the best field as it will not change while others like name can.
如果您已经知道要检查/验证成员资格的群组,这将很有帮助.
This one will be helpful if you already know the groups that you want to check/validate membership in.
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/checkMemberGroups
在请求正文中,您可以提供 groupdIds,即包含要检查成员资格的组的对象 ID 的集合.最多可以指定 20 个组.
In request body, you can provide groupdIds, i.e. a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.
{
"groupIds": [
"fee2c45b-915a-4a64b130f4eb9e75525e",
"4fe90ae065a-478b9400e0a0e1cbd540"
]
}
如果您还不知道该组并想获取该用户所属的所有组,这将很有帮助.
This one will be helpful if you don't already know the group and want to get all the groups that this user belongs to.
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups
这是另一个 相关的 SO 帖子
这篇关于如何通过 Azure AD 检查用户是否在 AD 组中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
