Get a list of groups that Azure AD user belongs to in claims

.net azure-active-directory adal azure-ad-graph-api
jlp picture jlp · Feb 11, 2016 · Viewed 16.3k times · Source

I am authenticating users of my web api against Azure Active Directory. Now I want to get a list of groups that this user belongs.

I changed application manifest to include 

"groupMembershipClaims": "All",

but all this does is to add claim hasGroups but no group names.

I granted all (8) Delegated Permissions to Windows Azure Active Directory for my app in the portal.

Answer

Jonas picture Jonas · Feb 22, 2016

I've done exactly this.

Let's call my Azure AD appication "AD-App".

AD-App

Permissions to other applications is set to;

Windows Azure Active Directory.

Application Permissions: 0.

Delegated Permissions 2 ("Read directory data", "Sign in and read user profile".

Manifest has the following setting:

"groupMembershipClaims": "SecurityGroup"

Backend API

The following is my method to return the users groups. Either you send in the users id, if not it uses the id from claims. Id meaning "objectIdentifier".

        public static IEnumerable<string> GetGroupMembershipsByObjectId(string id = null)
    {
        if (string.IsNullOrEmpty(id))
            id = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

        IList<string> groupMembership = new List<string>();
        try
        {
            ActiveDirectoryClient activeDirectoryClient = ActiveDirectoryClient;
            IUser user = activeDirectoryClient.Users.Where(u => u.ObjectId == id).ExecuteSingleAsync().Result;
            var userFetcher = (IUserFetcher)user;

            IPagedCollection<IDirectoryObject> pagedCollection = userFetcher.MemberOf.ExecuteAsync().Result;
            do
            {
                List<IDirectoryObject> directoryObjects = pagedCollection.CurrentPage.ToList();
                foreach (IDirectoryObject directoryObject in directoryObjects)
                {
                    if (directoryObject is Group)
                    {
                        var group = directoryObject as Group;
                        groupMembership.Add(group.DisplayName);
                    }
                }
                pagedCollection = pagedCollection.GetNextPageAsync().Result;
            } while (pagedCollection != null);

        }
        catch (Exception e)
        {
            ExceptionHandler.HandleException(e);
            throw e;
        }

        return groupMembership;
    }

I can't tell you wether this is done by best practice or not, but it works for me.

Related questions

Get profile picture from Azure Active Directory

We have set the Azure AD as a identity provider in our application. We want to display profile picture that should come from Azure AD, in the application. In order to test, I have added one Windows Live Id account (…

Read More
Windows Azure Active Directory - expiration of refreshtoken

I am experimenting with Windows Azure Active Directory. In a client (desktop) application the user enter his credentials and authenticate to access a REST service. I'm using latest version of Active Directory Authentication Library. In my scenario I want that …

Read More
Azure AD API request 401 Unauthorized

I have a standard Web API running on an Azure website with Azure AD authentication enabled, when browsing to the API in a browser I am able to login via the browser and gain access to the API. The WPF …

Read More