0
votes

I'm using azure active directory to control access to my web app using group membership. I have 2 groups (user & admin). In my app I've setup application permissions for Microsoft graph to read users profiles and read all groups.

I'm then using the graph api in my app to get a list of all groups available. This works ok in my local dev environment and when I deploy to the app up in azure, the process work ok there too. The problem arises when I upload and test in my 2 'slots' in the app service environment. I have two that im using, a dev version and a QA version. As soon as I try to access the graph api from either of those I get this error

Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

I was getting this when I initially started developing, but setting up and granting app permissions solved it. So why am I getting this in my other 2 'apps' ? I need these to test (me as the developer and our testing team in QA) Are there any other steps I need to take for my dev & qa slots to work in the same way ?

** this is how I access the graph api, it works ok in my main app, but not in the slots

GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
Group group = await graphClient.Groups[admin].Request().GetAsync();

**Update

The issue is with the apps running in my slots. Both my Dev & QA slots dont have any group information in the ClaimsIdentity object after a user logs in. Ive checked this by logging the info in the Claimsidentity object, when I run it locally and in the main app up in Azure, the group info is present, when I run it in the azure qa & dev environments, the groups arent present in the Claimsidentity object. Why would this be ? Do the slots inherit the active directory settings or should they be setup separately ? Im pretty new to azure and the security model so any help would be greatly appreciated.

I have redirect urls setup in azure and also in my web.config, I use different transforms for each environment using the appropriate redirect for each environment.

Im using OpenID

**update 2

When I created the slots, I based them (copied) on my main app. Should each slot have its own ClientID and secret in its web.config file ? Also do I need to register each slot as an application in active directory ? At the moment just my main app is registered

Here are the claims from each of my app, you can see the qa app has no groups

my QA slot in azure

Claim type - ver
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Claim type - http://schemas.microsoft.com/identity/claims/tenantid
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Claim type - onprem_sid
Claim type - nonce
Claim type - http://schemas.microsoft.com/identity/claims/objectidentifier
Claim type - name
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Claim type - ipaddr
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Claim type - http://schemas.microsoft.com/claims/authnmethodsreferences
Claim type - c_hash
Claim type - aio
Claim type - exp
Claim type - nbf
Claim type - iss
Claim type - iat
Claim type - aud

authentication type ; Cookies

My Main App in Azure

Claim type - ver
Claim type - http://schemas.microsoft.com/identity/claims/tenantid
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Claim type - http://schemas.microsoft.com/identity/claims/objectidentifier
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Claim type - nonce
Claim type - name
Claim type - ipaddr
Claim type - http://schemas.microsoft.com/identity/claims/identityprovider
Claim type - groups
Claim type - groups
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Claim type - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Claim type - c_hash
Claim type - http://schemas.microsoft.com/claims/authnmethodsreferences
Claim type - exp
Claim type - aio
Claim type - nbf
Claim type - iss
Claim type - iat
Claim type - aud

authentication type ; Cookies

** OK, I've tried adding the QA app to azure active directory as a registered app, I've got a clientID and a secret, I've given it the same permissions for azure active directory and Microsoft graph as my main app. I've included the clientid & secret in my web.config transform, so basically its setup in the same way as my main app and STILL no group info in the Claimsidentity. How on earth is this meant to work ?

***Another update

permissions granted

windows azure active directory - delegated permissions : read all groups, read all users full profiles

Microsoft Graph - application permissions : read all users full profiles, read all groups - delegated permissions : read all groups, read all users full profiles, sign in and read user profile

Just as a test, I've also granted every permission for active directory and Microsoft graph and it made no difference.

This is becoming a serious problem for me now, I cant see that theres anything else I can do, it works perfectly well in my main app, but not in the 'slots' is there a major flaw/bug with Azure ?, or am I doing something fundamentally wrong here ?

Can anyone help me out ?

1
anyone ? this is a massive problem, I cant test any functionality around security for my dev & qa version in azure :-( - proteus

1 Answers

0
votes

To read groups via Microsoft Graph, the Group.Read.All,Group.ReadWrite.All, Directory.Read.All or Directory.ReadWrite.All is required.

What's the permission you have granted to the app which have this issue? Also please check the scp claims in the token to ensure that the correct permission already be grant. You can decode the access token from this link

More detail about permissions about Microsoft Graph REST, please refer the link below:

Microsoft Graph permissions reference