Permission Based instead of Role Based - azure-active-directory

In my application, a User is assigned multiple Roles, and a Role is assigned(granted) multiple Permissions.
So in my code, I never check against a Role, but always against a fine grained Permission.
Here is described why I think Permissions based access is better than Role based:
https://softwareengineering.stackexchange.com/a/299732
Within Azure AD, I can assign roles to a user.
But I see no way of creating Permissions and associate them to Roles, so I guess this part must stay in my app ?
Then how should I link the Azure Application Roles to my app's Permissions ?
My assumption is I need to build an UI for doing this, using the Graph API to retrieve the list of roles defined in Azure for the application.
If that is the case, then I don't see much benefits using the built-in roles function in Azure vs keeping the role definition in my app...
Am I missing something ?

The key point of using Azure AD claims is to keep users information in the Active Directory rather than in the application.
In you case, you need to create permissions mapped to roles in your application.
Then theses roles can be mapped to Azure AD AppRoles or Groups.
I suggest you not to map directly users to roles.
If you deals with Group, you don't need to add/remove users to/from applications: Roles and permissions are inherited from groups users belong to.
Mapping directly to Groups
For the moment, it would be my preferred scenario. Users are assigned to groups and your customs roles are mapped to these groups.
When you create a new user, you just need to add it in some groups and there is no action required in your application (same things when you delete the user).
If you are not afraid of preview (and have an Azure AD Premium license), Azure Ad provides a way to dynamically assign users to group.
Just keep in mind that for the moment nested group memberships aren't currently supported.
So if a Group A is in Group B and Group B has some permissions in your application, Users from Group A will not have permission inherited from Group B.
Mapping Groups to application roles
This option seems to be an overkill because it requires one more step: Map Azure Ad Group to Azure Application Roles and Map theses roles to your custom roles.
You need to implement all this logic using the AAD Graph API and your UI will be more complex.
Only reason to use this option in your scenario is if you have a large directory with lots of groups and applications : If a user is in more than 200 groups so the Jwt token returned by the Azure AD will not contain the groups and you will have to query one more time the Azure AD to get the user groups (see).
In this scenario, it could make sense to map groups to application roles because when a user authenticates to an application, Azure Ad will always provides you the roles of the users (or the roles of the group that the user belong to)
you can find interesting code sample here:
active-directory-dotnet-graphapi-console.

At this point in time, Azure Active Directory application roles are meant primarily for the scenario where each user can only have one role and thise roles are mapped to a simple authorization model.
While it is technically possible to support multiple roles per user, that can only be managed via the Graph API and would require you to build a UI for your user admin / users to manage.
As you've noted, your scenario is more complex than this with multiple roles per user and multiple (potentially customizeable and overlapping) set of permissions.
Given these two points, your approach of implementing all of the authorization yourself is a sound one.
Check out this article which outlines in more details the authorization scenarios Azure AD is best suited for:
https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-app-roles/

Related

Azure Ad/Microsoft Graph get all users with specific approle

I have an application that uses Azure Ad Groups to manage authorization of certain actions.
In certain places in the app we want to show the users that are authorized to perform a certain action. (for example approving the publishing of an article)
We use the MS Graph api to retrieve all users in a certain Azure Ad Group.
Now we want to use approles in a serviceprincipal/appregistration, where multiple groups can be added to a specific approle.
Now I want to retrieve a list of users that has a specific approle assigned, either directly or through a ad group added to the approle.
Is there some api to retrieve the users in this way?
In terms of graph, what I believe you are looking for is this: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignedto?view=graph-rest-1.0&tabs=http
This is the graph endpoint that gets all app role assignments for a given application

Include Roles from external database in the Access Token

I am doing login from Azure AD.Client is SPA(angular using MSAL). If user is not Authenticated, it redirect to Microsoft Login Screen (using MSAL). On successful login, it return an access token.
My roles will be stored in a database. I need to add the roles of that user as part of claim in access token. I am not finding the way to do it.
I do not want to make another call from SPA to API to get the DB roles.
Please suggest some good approach.
Any links explaining the approach will also be very helpful.
I am still in design phase but not able to find the best approach.
In one microsoft site, i found that we can fetch the roles from DB but details were not there.
most of the places, it is written that we need to provide roles in Azure AD users menifest file.
In regular Azure AD, the "roles" claim is exclusively sourced from app role assignments for the signed-in user (or groups the user is a member of), to the app roles for the app the user is signing in to.
There's no feature currently in Azure AD which will connect to an arbitrary database, make a database query in the appropriate form, and include the results in the roles claim in the resulting ID Token.
I can think of three options to achieve your scenario:
After sign-in, call an API to retrieve the roles. Though you mention this is not desirable, it's probably the simplest approach, so it's worth listing. As a result of the user's sign-to you app, you app will usually obtain an access token to an API. If you set up your API to be secured with Azure AD (directly, or through Azure API Management), your SPA could simply get the necessary access token as part of sign-in, and at that point it's trivial to make a REST call to retrieve the role details for the user (and possibly other information useful to rendering your app).
Synchronize (or copy) your role information from your database to Azure AD. For each role, create an app role in the Azure AD app registration. For each user-role association, either create an app role assignment to directly assign the user (user -> app role), or assign a group to the app role and add the user to the group (user -> group -> app role. Keeping this in sync is probably not trivial, so if your scenario allow to move the role information to Azure AD app role assignment, you can forget the database entirely (making Azure AD the authoritative location). Of course, this might not work for your specific case.
Use Azure AD B2C and a custom sign-in policy. You could create an Azure AD B2C tenant, set up a custom sign-in policy to use your (regular) Azure AD tenant as the identity provider, and configure the policy to enhance the claims by calling a REST API to retrieve your roles. In this approach, you still need to have a REST API which can provide the role information, so rather than doing the setup and migrating your app, you may prefer simply calling the API from your SPA (option 1, in this list).

Can I manage users for all B2C tenant

My requirement is to have Multi-tenant application. I am trying to select the correct AD directory structure. I am under the understanding that a tenant is an AD directory. I need to be able to have group, role, and policy security options as well as user self sign-up. I have started on the journey of using Azure B2C directories but this does not seem to be the correct solution because roles do not seem available. Lastly, I also need the ability to manage authorizations to all tenants which I would like to build an Admin app to do so; I plan to use Microsoft Graph API for that but I am not sure if that will work either. Can someone help me to answer these questions. I have been searching as well as testing many scenarios.
You can assign user roles and group roles through AAD. https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
You can also manage permissions through roles based access control. You do not need to use b2c to manage user permissions unless you are connecting your outside company to Microsoft AAD, rather than building a custom app within Azure. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
The tenant includes your resources that you want managed under that tenant. It is not exactly synonymous with an AAD because it can include more than just your AAD. You can use it solely to manage your AAD if you wish, though (and even include subscriptions in other tenants that are linked to your AAD tenant).
Graph API is useful for managing more complex user data. Whether you need this depends on what you are aiming to accomplish.

Microsoft Graph list RBACRoleAssignments by resourceScope

I would like list roleAssignments of a group with GraphAPI.
But I only see an API to list whole roleAssignments.
I tried to filter by resourceScopes/scopeMembers using $filter clause but it's not working.
Should I filter this whole list myself or is there any other way to do it?
It seems like you are looking for Azure RBAC role assignments.
These are different from what you've linked to, which are Intune device management role assignments (which are specific to Intune RBAC roles). They are also different from Azure AD app role assignments (which are for assigning an app or a user/group to another app's role), and Azure AD directory role membership (which is for assigning users to directory roles).
You can list all Azure RBAC role assignments using the Azure Management API. You can also filter this request by scope and/or by which user, group or app the role assignment is for.
For example, to list all the scopes a group {group-id} has been assigned to for a subscription {sub-id}:
GET https://management.azure.com/subscriptions/{sub-id}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=principalId%20eq%20'{group-id}'
For more details, you can read Manage Role-Based Access Control with the REST API.

Sitecore Active Directory

We are going to use the Active Directory module to sync our users. We are still debating on whether to maintain roles within Sitecore or AD. We have had performance issues in a previous implementation of Sitecore when syncing with AD, so that makes us a little hesitant to have roles in AD. We will be creating an OU for users who need to be in Sitecore.
What is the recommendation from Sitecore regarding users and roles and AD?
Would keeping roles within Sitecore make sense and users in AD to see if that would make a difference in performance?
If we decided to have roles within Sitecore now and then move to AD later, would that be possible? How would security on existing items be affected?
Thanks
In my implementations of the AD module, using indirect membership (role in role in role in role) has performance implications. If you have a direct membership (User A is in Role B) model, I have not seen many performance issues unless, as #Patrck Perrone mentioned, you are using filters that pull back a massive number of users.
My typical recommendation for folks who are not sure which direction to go with their security is to use AD groups to manage your users belonging to specific roles, and then map those AD groups as members of the Sitecore roles. In that way, you can secure all your content to Sitecore roles, and your users will automatically gain access via their AD group.
Example:
In Active Directory: User Jay => Member of AD Group 'nonlinear\Sitecore Authors'
In Sitecore Roles: 'nonlinear\Sitecore' is member of 'sitecore\Author'
In Sitecore content: 'Home' item workflow secured to 'sitecore\Author'
In the above example, all users who are sitecore\Author members will be able to work on the Home page. User Jay, when added to the AD Group 'nonlinear\Sitecore Authors', will gain this access due to the relationship defined between the roles.
The benefit here is that if AD goes down, or you decide to stop using the AD roles, you don't have to re-apply security to your content. You would just start adding your AD users directly to sitecore\Author.
This is also helpful for local developers or offline developers working locally on their laptop who do cannot connect to the active directory repository. They can still setup all the content security and test with local Sitecore domain users while disconnected from AD.
The performance issues I have seen in the past with AD syncs were due to the query against AD returning vast amounts of data. I recommend you create a dedicated OU for security groups (and users if you are lucky enough that your organization can support this) related to Sitecore. Think of these security groups as Sitecore roles and assign AD users as members to these security groups accordingly.
On the Sitecore side, you should still use roles. Only, instead of assigned users from AD you will assign security groups to those roles.
This will allow you to continue to authorize groups of people in Sitecore per role, while delegating the task of maintaining individual membership to roles in AD where it typically should remain.

Resources