none
Azure AD not emitting group claims

    Question

  • I need to set up Role Based Access Control (RBAC) for my app https://myapp.azurewebsites.net/. Below is the relevant configuration and code information.

    Configuration:

    Manifest file:

    "appId": "eaae4936-3587-4bb8-a290-4503f94352f9",
      "appRoles": [
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "Supervisor",
          "id": "91029f7a-52a1-40e0-90ff-b5c1a0daef93",
          "isEnabled": true,
          "description": "supervises",
          "value": "Supervisor"
        },
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "clerk",
          "id": "4ae6f467-6dcf-4d7e-8b1f-f59aa77a6327",
          "isEnabled": true,
          "description": "Receives and processes invoices",
          "value": "clerk"
        },
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "Issuer",
          "id": "71a90073-42b1-481b-b17f-b7c7f0ad4805",
          "isEnabled": true,
          "description": "Issues",
          "value": "Issuer"
        }
      ],
      "availableToOtherTenants": false,
      "displayName": "myapp",
      "errorUrl": null,
      "groupMembershipClaims": "All",
      "homepage": "https://myapp.azurewebsites.net"

    Groups assigned to Application:

     

    Each group has at least one user assigned and each group has at least one user (system doesn't allow me to post a screen shot of group assignment).

    Starup.Auth.cs

    Finally the I am trying to fetch groups in my app as follows:

     var claims = ClaimsPrincipal.Current.Claims.Where(c => c.Type == "groups");
    
     
    
                Debug.Print("Total Group Claims in HomeController #### "+claims.Count());
    
     
    
                foreach (Claim c in claims)
    
               {
    
                    Debug.Print("%%%%%%%% " + c.Value + " %%% VALUETYPE %%% " + c.Type);
    
                }


    The count in above code is always 0. 

    Note: The same setup works when I run the app locally on my machine using visual studio. Relevant manifest file is as follows:

    "appId": "92897ab8-ce99-4c0b-82cb-467e6b3e3da3",
      "appRoles": [
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "Supervisor",
          "id": "1b4f816e-5eaf-a8b5-8613-8f23830595ad",
          "isEnabled": true,
          "description": "supervises",
          "value": "Supervisor"
        },
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "clerk",
          "id": "1b4f816e-5eaf-a8b5-8613-7923830595ad",
          "isEnabled": true,
          "description": "Receives and processes invoices",
          "value": "clerk"
        },
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "Issuer",
          "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
          "isEnabled": true,
          "description": "Issues",
          "value": "Issuer"
        }
      ],
      "availableToOtherTenants": false,
      "displayName": "myapp",
      "errorUrl": null,
      "groupMembershipClaims": "SecurityGroup",
      "homepage": "https://localhost:44356/"

    Any help is appreciated.

    Thanks





    • Edited by dev-ncw Friday, March 17, 2017 1:19 PM Obfuscated some business related details
    Thursday, March 16, 2017 6:48 PM

Answers

  • Problem solved. I was barking up the wrong app profile. There are numerous apps registered with my AD (sandbox, testing etc.). Turns out that I was editing the wrong profile.
    • Marked as answer by dev-ncw Friday, March 17, 2017 4:03 PM
    Friday, March 17, 2017 4:03 PM