Restricting access to an Azure AD protected API using Azure AD Groups

This post shows how to restrict access to an ASP.NET Core API to only allow users from a defined Azure AD group to use a protected API. The API uses an Azure App registration for authorization. The user signs in with an ASP.NET Core Razor page application or an Angular App and can access the API if the user is authorized, ie a member of the group which is required for access.

Code: https://github.com/damienbod/AzureAD-Auth-MyUI-with-MyAPI

Posts in this Series

In the Azure Active directory tenant, create new users or add existing users to the tenant. In this demo, an admin user which will be added to the AAD group was added. The access will be enabled for the group. We also add a second user which will not be a member of the group to test.

Create a new group in the Azure Active directory. Click the All Groups button, and then New Group.

Add the group name, and fill out the fields. We use a group type Security.

Add the members to the group as required.

Select Enterprise applications in the Azure AD and select the API to restrict the access. Select the api, which was created in the first blog post in this serious.

In the Properties, set the User assignment required? to yes. Now only users which are added in the app registration, can access the API.

Now click the Users and Groups. We will add a new user. This is used to add a new group as well as a new user.

You should be able to add a new group now. If you cannot add a new group, it is because you don’t have the correct Azure AD license.

Select the group you created above.

Now the applications can be used. Only users which are members of the admin group can request the scope to access the API.

Using the admin user, everything works as expected.

Using a user which is not in this group, the sign in fails and the identity cannot login to access the API.

Next step would be to script this using Azure CLI or Azure Arm templates.

Links:

https://github.com/AzureAD/microsoft-identity-web

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2

https://jwt.io/

https://www.npmjs.com/package/angular-auth-oidc-client

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: