Question: How to perform permission-based authorization with Roles? about active-directory-dotnet-webapp-roleclaims HOT 5 CLOSED

The Admin Role Permissions page appears to be outlined in this fashion. For example, a user performing the action (permission) of microsoft.aad.directory/applications/audience/update would be granted access having either of the Application Administrator or Cloud Application Administrator roles.

Is it a correct assumption that these actions are managed internally by azure ad and not using a feature of azure ad itself exposed to Application Registrations or Enterprise Applications?

from active-directory-dotnet-webapp-roleclaims.

@tiny-dancer , the page you have provided is used by the Azure Service Management to implement Azure RBAC. Azure AD provides options to provide permissions using Scopes, that travel in the 'scp' claim. Currently we have an open ask to allow users to provide deeper permissions , like one or more security groups instead of "Groups.Read.All" or name of the actual Sharepoint sites over "Sites.ReadWrite.All". Its something we are considering, but we do not have an ETA for this.

from active-directory-dotnet-webapp-roleclaims.

If are building your own API, @tiny-dancer : I suggest you have a look at this sample:https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore (it explains how to define scopes)

from active-directory-dotnet-webapp-roleclaims.

@jmprieur @kalyankrishna1 thank you for your responses and thanks in advance for helping clarify Azure AD's current capabilities.

This is indeed related to using Azure AD for authorization of our own APIs.
Based on your responses, Azure AD does not support permission-based authorization and uses Scopes (application) and Roles (users) for authorization.

Extending the example provided, https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore by adding the requirement to limit those (applications and users) who can create tasks. Is the below an accurate implementation of adding this requirement? Am I missing Azure AD features?

Scopes

We start by adding the below scope:

TodoListService

• Tasks.Create

And updating the code to add Authorize, similar to:

// POST api/values
[Authorize(Policy = "Tasks.Create")]
[HttpPost]
public void Post([FromBody]TodoItem Todo)
{
      string owner = (User.FindFirst(ClaimTypes.NameIdentifier))?.Value;
      todoStore.Add(new TodoItem { Owner = owner, Title = Todo.Title });
}

• Applications: 👍 We successfully now have a way to limit which applications have access to create tasks. A consuming application will need to explicity request the Tasks.Create scope, such as TodoListClient.
• Users: 👎 We are not able to limit which users have access to create tasks, every user that logs into the TodoListClient application will have access to create tasks, as every user inherits that application's Task.Create access.

Roles

To limit which users have task create access our only other Azure AD options would be roles with allowedMemberTypes of User.

We update the code similar to (psuedo):

// POST api/values
[Authorize(Policy = "Tasks.Create")] or [Authorize(Roles = "TaskMaster")]
[HttpPost]
public void Post([FromBody]TodoItem Todo)
{
      string owner = (User.FindFirst(ClaimTypes.NameIdentifier))?.Value;
      todoStore.Add(new TodoItem { Owner = owner, Title = Todo.Title });
}

• Users: 👍 By explicity assigning users or groups to the defined TaskMaster role we can limit which users can create tasks.

Summary

👎 Using Roles leads us back to the OP and the downsides of implementing Role based authorization in code. This downside is further cemented by the fact that Azure Service Management's RBAC itself does not follow this implementation, instead authorizing against Actions and not directly against the Roles. Additionally it means the code will need different authorization logic between Applications and Users.

Thanks again!

from active-directory-dotnet-webapp-roleclaims.

I have exactly the same question. I would like to implement permission based authorization in my Applications and API's and be able to assign these permissions to roles that can be created dynamically.

Looks like competitors have had these features for some time. For example:
https://auth0.com/docs/authorization/concepts/rbac
https://auth0.com/docs/dashboard/guides/users/assign-permissions-users

I am also interested of the second issue you describe. Be able to assign permission to specific resources. For now it looks like I need to implement this in my own service instead of using AAD.

Are there any news regarding these features?

@tiny-dancer Did you find any good workarounds?

from active-directory-dotnet-webapp-roleclaims.