Authentication using Azure Active Directory

azure ad authentication methods
azure active directory authentication c#
azure active directory authentication api
azure ad authentication protocols
azure active directory tutorial
azure ad b2c
azure app service authentication / authorization
azure ad authentication flow

I have created a group on the azure portal for aad authentication. I want a user that is not in either group (but exists in AAD) - should not even be able to login to the site. I am using core as backend

If you want to config your application to receive group claims, you need to set the "groupMembershipClaims" value as SecurityGroup in the Manifest file.

  1. In your application settings page on the Application Registration Portal , click on "Manifest" to open the inline manifest editor.

  2. Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "SecurityGroup".

  3. Save the manifest.

      "errorUrl": null,
      "groupMembershipClaims": "SecurityGroup",

When the groups claim is enabled for an application, Azure AD includes a claim in the JWT and SAML tokens that contains the object identifiers (objectId) of all the groups to which the user belongs, including transitive group membership.

But please note that to ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership. For more details, please refer to the blog.

So you need to do some process :

  1. Check for the claim _claim_names with one of the values being groups. This indicates overage.

  2. If found, make a call to the endpoint specified in _claim_sources to fetch user’s groups.

  3. If none found, look into the groups claim for user’s groups.

Of course , you can directly call Microsoft Graph API to retire current user's groups without using group claims

Regarding how to authorize based on that groups, you can implement it by ASP.NET Core middleware libraries. The middleware supports roles populated from claims by specifying the claim in the RoleClaimType property of TokenValidationParameters. Since the groups claim contains the object ids of the security groups than actual names, you'd use the group ids instead of group names. For more details, please refer to the sample.


// The following lines code instruct the core middleware to use the data in the "groups" claim in the Authorize attribute and User.IsInrole()
            // See for more info.
            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
                // Use the groups claim for populating roles
                options.TokenValidationParameters.RoleClaimType = "groups";

Then using it

[Authorize(Roles = "Group-object-id")] // In controllers
// or
User.IsInRole("Group-object-id"); // In methods

Azure Active Directory authentication overview, Azure Active Directory provides an identity platform with enhanced security, Does Azure AD enable authentication and single sign-on using SAML or OIDC? Browse & Discover Thousands of Computers & Internet Book Titles, for Less.

I assume that you want to authenticate into AD using ASP.NET Core on Azure AD.

If you are using ASP.NET Core 2.1 or later, the easiest way is to use OpenID's OAuth2.0/OIDC flow against Azure AD. Azure AD also supports SAML 2.0, not just OAuth2.0/OIDC.

Using OAuth2.0 on Azure AD is recommended by Microsoft, because it's quite easier to learn and to implement than implementing SAML 2.0 on Azure AD.

Microsoft has provided a sample application using ASP.NET Core to demo authentication to Azure AD by using a specific library to help access Azure AD authentication, and it is called Microsoft Identity Platform (previously it was called MSAL 2.0).

The overview of Azure AD identities for software developer is available at: official MS Docs page of Azure AD's Microsoft Identity Platform

A list of sample applications of authenticating users to Azure AD is available at landing page of various Microsoft Identity Platform code samples


  1. Your web application MUST BE registered first to be able to authenticate to Azure AD.
  2. Your web application cannot use the OAuth2.0's "resource owner" grant model that pass userid and password directly to Azure AD, because web application must show consent screen to log in to Azure AD.

Configure Azure AD authentication, Azure active directory (AD) provides cloud based directory and identity management services.You can use azure AD to manage users of your application and. Many organizations want to let users sign in to Azure Active Directory (Azure AD) using the same credentials as their on-premises directory environment. With this approach, known as hybrid authentication, users only need to remember one set of credentials. Some organizations haven't moved to hybrid authentication for the following reasons:

You can use groups claims in Azure AD , config the your application in azure portal to receive group claims by editing the manifest :

  "errorUrl": null,
  "groupMembershipClaims": "SecurityGroup",

ID token issued from Azure AD will include the current user's groups id list in groups claim , then in core application(3.0 for example) , you can restrict the access by :

services.AddControllersWithViews(options =>
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
        options.Filters.Add(new AuthorizeFilter(policy));

Note : From document :

If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then the Microsoft Identity Platform does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.

Authentication vs authorization, In this Cloud in 5 minutes, video I will show how to authenticate your users using Microsoft Duration: 11:21 Posted: Jan 24, 2019 Enable Azure Active Directory in your App Service app In the Azure portal, search for and select App Services, and then select your app. In the left pane, under Settings, select Authentication / Authorization > On. (Optional) By default, App Service authentication allows unauthenticated access to your app.

Azure Active Directory, Learn how to connect your app to Microsoft Azure Active Directory using an an appropriate multitenant option in the Azure AD app's Authentication settings. Select “All resources”, and look for “Azure Active Directory” and click “Create a tenant” Select “Azure Active Directory” option Fill in your organization’s name, domain, and country, and you’re

Using azure active directory authentication in your web application , Azure AD B2C is a directory service that leverages identity stores outside of your company. It is an authentication service for publicly facing applications. In addition� In this, we will learn about the sign-in experience for accounts in Azure Active Directory (Azure AD) for which users can authenticate. Moreover, we will understand the various methods available for authentication. However, a username and password is the most common way a user would historically provide credentials.

How to use Microsoft Identity (Azure AD) to Authenticate Your Users , Seq can authenticate users in Microsoft Azure Active Directory. ensure the correct reply address is generated by Seq using the instructions in this section. Using Azure Active Directory for authentication is super simple in.NET Core 3.1. There’s a couple of things that need to be justright, and then it “just works.” This guide assumes that you’re already familiar with ASP.NET Core 3.1 and how those projects are structured.