I want the login system for an ASP.Net MVC 5 website be backed by Azure Active Directory.
Specifically I want to find out, whether the user is a member of a specific group and give access based on that.
I have code to query users/groups in AD, and only users from the AD get authenticated by Microsoft and redirected to the website.
But it seems that I need the user's principal name (UPN, ClaimTypes.Upn) to query the Azure AD graph API, while the OpenID Connect Provider just gives me some version of the user's e-mail address:
From OpenID Connect:
User.Identity.Name = live.com#[email protected]
From AD Graph API:
user.UserPrincipalName = timm_domain#[email protected]
Is there any possibility to get the internal user GUID or get from one ID to the other in order to be able to query the AD graph API for the current user?
Indeed. Get the ObjectId of the user from the objectidentifier claim, using:
ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value
UPN property is set by default for regular Organizational accounts - whereas you are signing is as an MSA (Microsoft Account) external user. MSA external users do not have the UPN property set by default. That said, you do not need the user's UPN to query their Group membership using Graph API - ObjectId is recommended. Further, we recommend that for authorization purpose, you use the getMemberGroup API that returns transitive group membership of the user.
Hope this helps.
For reference on other claim types: the raw JWT access token issued by Azure AD for an MSA external user looks like this:
{
"family_name": "Guest", 
"unique_name": "Live.com#[email protected]", 
"altsecid": "1:Live.com:00034001C80D80E9", 
"ver": "1.0", 
"aud": "https://graph.windows.net", 
"acr": "1", 
"iss": "https://sts.windows.net/62e173e9-301e-423e-bcd4-29121ec1aa24/", 
"oid": "fa6fa59a-5f2b-4069-a8e4-c76e52179f64", 
"scp": "Directory.Read UserProfile.Read", 
"idp": "Live.com", 
"email": "[email protected]", 
"appidacr": "1", 
"given_name": "AAD", 
"exp": 1403260411, 
"appid": "29181964-d91b-4331-859d-d815863848d6", 
"tid": "62e173e9-301e-423e-bcd4-29121ec1aa24", 
"iat": 1403256511, 
"amr": [
    "pwd"
], 
"nbf": 1403256511, 
"sub": "Wi6CVQ6FVj_aj3na076wm-C6eJy6CK6YhB3PR9Jpty0"
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With