This post shows how to restrict access to an ASP.NET Core API to only allow users from a defined Azure AD group to use a protected API. The API uses an Azure App registration for authorization. The user signs in with an ASP.NET Core Razor page application or an Angular App and can access the API if the user is authorized, ie a member of the group which is required for access.
Posts in this Series
- Login and use an ASP.NET Core API with Azure AD Auth and user access tokens
- Angular SPA with an ASP.NET Core API using Azure AD Auth and user access tokens
- Restricting access to an Azure AD protected API using Azure AD Groups
- Using Azure CLI to create Azure App Registrations
In the Azure Active directory tenant, create new users or add existing users to the tenant. In this demo, an admin user which will be added to the AAD group was added. The access will be enabled for the group. We also add a second user which will not be a member of the group to test.
Create a new group in the Azure Active directory. Click the All Groups button, and then New Group.
Add the group name, and fill out the fields. We use a group type Security.
Add the members to the group as required.
Select Enterprise applications in the Azure AD and select the API to restrict the access. Select the api, which was created in the first blog post in this serious.
In the Properties, set the User assignment required? to yes. Now only users which are added in the app registration, can access the API.
Now click the Users and Groups. We will add a new user. This is used to add a new group as well as a new user.
You should be able to add a new group now. If you cannot add a new group, it is because you don’t have the correct Azure AD license.
Select the group you created above.
Now the applications can be used. Only users which are members of the admin group can request the scope to access the API.
Using the admin user, everything works as expected.
Using a user which is not in this group, the sign in fails and the identity cannot login to access the API.
Next step would be to script this using Azure CLI or Azure Arm templates.