Returning AD group membership from ACS

Question

It's my first post here so please be gentle with me! :)

I'm trying to develop an application using Azure ACS (i.e. Office 365) as the authentication system. The authentication side of things seems to work nicely and I'm redirected to the Office 365 login page and can succesfully login. My code then using the Graph API to get additional information on that user.

What I am struggling with is to get a list of the AD groups that the logged on person is a member of. When I request a list of groups on only get back the Office 365 security roles.

Here's what I've done (I hope I've included everything relevant)

From within Azure;

• Gone in to active directory
• Selected my domain (which DirSyncs from on-prem AD)
• Created a new application
• Allowed Read directory data and Enable sign-on and read users' profiles
• Created a new key

From within my test app;

• Created a new web application (standard web forms)
• Used the Identity and Access setup to specify 'user a business identity provide'
• Add a clientID and password to the app.settings file
• Added the Windows Azure Active Directory Graph Helper project

Here's my relevant code

        IPrincipal myPrincipal = this.User;

        //get the tenantName
        string tenantName = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;

        // retrieve the clientId and password values from the Web.config file
        string clientId = Properties.Settings.Default.ClientID;
        string password = Properties.Settings.Default.Password;

        // get a token using the helper
        AADJWTToken token = DirectoryDataServiceAuthorizationHelper.GetAuthorizationToken(tenantName, clientId, password);

        // initialize a graphService instance using the token acquired from previous step
        DirectoryDataService graphService = new DirectoryDataService(tenantName, token);

        User myUser = graphService.users.Where(it => (it.userPrincipalName == myPrincipal.Identity.Name)).SingleOrDefault();
        graphService.LoadProperty(myUser, "memberOf");
        List<Role> currentRoles = myUser.memberOf.OfType<Role>().ToList();

When I run my code currentRoles only contains 'Company Administrator' not other groups that I am member of.

I've read many articles about how to add rules via namespaces but that seems to be related to using Windows ACS.

I'm probably missing a really basic step and would be eternally grateful for a nudge in the right direction :)

Thanks, Darren

Answer 1

Assuming your code is good (it's hard to tell with just the snippet), your main issue is that you're using Role instead of Group. Roles and groups are different concepts in the Graph. A Role returned by the Graph is not intended for role-based access control (RBAC), whereas a Group can (and should) be used for that purpose. See my other answer here for more information.

Also, without knowing the needs of your application, you should only be using ACS if you need to authenticate with multiple identity providers. It looks like you're just using Azure AD as your IdP, so you can authenticate directly to the service instead of using ACS as a middleman.

This topic about authorization and RBAC in Azure AD and the accompanying code sample should help you understand more about how roles and groups are used in the Azure AD and the Graph.