Authorization with Roles

[mschuepbach]

I previously asked this on Stack Overflow.

We have an ASP.NET Core MVC application and want to migrate from on-premise Active Directory to Microsoft Entra ID. Authentication works without any issues, but authorization does not.

Currently, we use [Authorize(Roles = "GroupX")] or HttpContext.User.IsInRole("GroupX") to check if a user is in a certain group. These groups are security groups in Entra ID.

I replaced

builder.Services 
       .AddAuthentication(IISDefaults.AuthenticationScheme)

with

builder.Services
       .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
       .AddMicrosoftIdentityWebApp(builder.Configuration)

But the user gets redirected to /Account/AccessDenied even when they are assigned to the group.

After setting GroupMembershipClaims in the manifest to SecurityGroup, I see my groups in HttpContext.User.Claims. But IsInRole returns still false.

I was under the impression that this would automatically work with Microsoft.Identity.Web. Is this not supported? What is the recommended way to do authorization in ASP.NET Core applications with Microsoft Entra ID?

[mschuepbach]

I discovered these Examples which helped a lot.

We solved our issue by using App Roles and combining them with security groups in Microsoft Entra.

Then, in our Program.cs we replaced

builder.Services 
       .AddAuthentication(IISDefaults.AuthenticationScheme)

with

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration);

builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    options.TokenValidationParameters.RoleClaimType = "roles";
});