Asp .net core app authorization against Azure AD groups

Question

I have a .net core 2.0 service in which I'm trying to implement authorization by reading groups from AAD

What was done:

1. in the Azure portal, in the app registration, modified the manifest - added "groupMembershipClaims": "SecurityGroup"
2. In the app registration -> API permissions -> Gave permission

Permissions

In the code:

   public static class AuthorizationPolicy
    {
        public static string Name => "GroupName";

        public static void Build(AuthorizationPolicyBuilder builder) =>
            builder.RequireClaim("GroupName", "06edc7ed-b0da-425f-b4a3-f501904e6c6f");
    }

services.AddAuthorization(options => { options.AddPolicy("GroupName", policy => policy.AddRequirements(new IsMemberOfGroupRequirement("GroupName", "06edc7ed-b0da-425f-b4a3-f501904e6c6f"))); });

Added AuthorizationHandler class

public class IsMemberOfGroupHandler : AuthorizationHandler<IsMemberOfGroupRequirement>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context, IsMemberOfGroupRequirement requirement)
    {
        var groupClaim = context.User.Claims
            .FirstOrDefault(claim => claim.Type == "groups" &&
                                     claim.Value.Equals(requirement.GroupId, StringComparison.InvariantCultureIgnoreCase));

        if (groupClaim != null)
            context.Succeed(requirement);

        return Task.CompletedTask;
    }
}

But the groups don't exist in the user's Claims

Please assist, what I'm missing

Answer 1

It seems your registered app is used to request graph api. So the groups claim doesn't exist in access token.

Here is what we need to know about groups claim:

If we register a app in AD as clientApp and register another app(for web app or api app) in AD as backendApp. And then add the permissions of backendApp into clientApp, request access token according to clientApp. Now, the access token will contain groups claim if you add "groupMembershipClaims": "SecurityGroup" in manifest of backendApp. We can limit the user can/can't do any operation of backendApp according to his group (because the backendApp(webapp or api app) is belong to us.

But if you register app in AD as clientApp to request token for graph api, graph api backendApp is not belong to us and it just exists an enterprise app for graph api in AD. So we can't modify its manifest. So the access token doesn't contain groups claim. Actually, as graph api is not belong to use, so it is meaningless to limit the user can/can't do any operation according to his group.

So the problem is by design. If you still want to get groups cliam, you can get it in "id_token". Add a openid in "scope", then the response will contain "id_token". Decode the "id_token" in this page, you can find groups claim.