So I've successfully integrated Azure AD authentication in my angular site as per the instructions in msal-angular and now I'm at the point where I'm looking to define and leverage roles and permissions to provide more granular control of what a user can and can't do.
From what I've been able to determine I can define roles by following this set of instructions (https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles) but msal-angular doesn't seem to expose this upon logging in - or at least I haven't found instructions on how to do this just yet.
Perhaps I'm missing something. Any suggestions would be appreciated
Protecting the Profile route means that even if a user does not sign in using the Login button, if they try to access the Profile route or click the Profile button, the MsalGuard will prompt the user to authenticate via popup or redirect before showing the Profile page.
Search for and select Azure Active Directory. Under Manage, select App registrations, and then select the application you want to define app roles in. Select App roles, and then select Create app role. In the Create app role pane, enter the settings for the role.
MSAL Angular provides an Interceptor class that automatically acquires tokens for outgoing requests that use the Angular http client to known protected resources. This doc provides more information about the configuring and using the MsalInterceptor .
To get the groups a user belongs to, you will need to add directory.read.all
to your scope in your Angular app and also in the API permissions in the Azure app settings.
let graphUser = await graphClient.api('/me').get();
let graphUserGroups = await graphClient.api(`/users/${graphUser.id}/memberOf`).get();
let user = new User();
user.id = graphUser.id;
user.displayName = graphUser.displayName;
// Prefer the mail property, but fall back to userPrincipalName
user.email = graphUser.mail || graphUser.userPrincipalName;
graphUserGroups.value.forEach(group => {
user.groups.push({
group_id: group.id,
group_name: group.displayName
});
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With