2
votes

I'm looking to develop an application using Azure Active Directory, primarily because of the built-in support for easy authentication in Web API and across various Azure tools.

My application will consist of a number of projects that each contain a number of sub-projects. With authentication covered, I'm trying to work out how I can handle authorization with Azure AD now. I envision that there would be different roles associated with each of the sub-projects (5-10), with people getting assigned to them on a per-sub-project basis.

Now, I know that AD supports roles and groups. Roles are sets of permissions and groups are sets of users. While I could create a group for each of the sub-projects, I expect that some of the roles could vary based on each of the larger projects, so I can't just check to see if a given user is assigned to X group and Y role. Not to mention, because a user could be assigned to more than one group and role, I don't see a way to specify that the role is applicable to just a single group (since the user may not be intended to have that role in all groups).

So, the only way I see right now to move forward would be to create new roles each time I create a new project and sub-project that are specific to each. However, as these projects and sub-projects are created and deleted over time, I expect we'll start hitting the upper caps of how many roles AD supports altogether (especially on a per-user basis).

In traditional Active Directory, I expect this would be handled via Organizational Units that could represent each of the projects and each of the sub-projects, each with assigned roles and groups. However, according to https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-create-ou there isn't support for Organizational Units in Azure AD and that it can't be assigned via the AD Graph API.

Using Azure AD, is there a better approach to take here apart from unique roles for each sub-project at this point?

Thanks!

Edit for more information:

Right now Azure AD supports groups and roles. Let's say I have two projects, A and B and each of those has two inner sub-projects, A1 and A2, and B1 and B2. Additionally, I have a user that I want assigned to an Admin role on A1, a Power User role on B2, and no access to B2 or A1.

It seems that I could make a group for A1, A2, B1 and B2 and simply assign the user to group A1 and B2. On the backend, I can just specify that the user should be in those groups and deny access for anyone that's not.

Ok, so that handles group access, but then I want to assign the roles. I can grant them Admin and Power User, but then they'll have both of those roles on both of the groups they're in because I can't assign the roles in the context of a group.

The only other approach I can see is to create distinct roles for each of the groups, so now I have "Admin-A1", "Power User-A1", "Admin-A2", "Power User-A2", "Admin-B1", "Power User-B1", "Admin-B2", and "Power User-B2", but this is going to greatly inflate my object count over time (50 projects with 10 sub-projects apiece with 8 roles will start working up there, though 500k is quite the high threshold).

I forsee a maintainability problem with having so many roles. Since I can't correlate a role with a group and can only specify the display name and description for it (both would be useful for a project owner to see when assigning them), how might you suggest that I identify on the backend which roles are associated with which project (without having to keep my own list of guids to store the extra attributes)? Is there a way to submit custom attributes with the roles/groups?

1

1 Answers

0
votes

What kind of roles you are developing with? Did you mean the application role?

Based on my understanding, we can register an separate apps for every sub-project on Azure portal and custom the roles based on every app we register and assign the roles to users/groups we want. And this role should only work for the corresponding project for the app.

More detail about manage application based on the roles you can refer the code sample here.

, I expect we'll start hitting the upper caps of how many roles AD supports altogether (especially on a per-user basis).

There is no such limitation for the roles for one single user. But if you are using the free edition version Azure AD, it supports 500,000 objects. An object is an entry in the directory service, represented by its unique distinguished name. Here are two helpful links for your reference:

Azure AD service limits and restrictions

Azure Active Directory editions