How to retrieve the SignIn user's group/role “MailNickName” from AAD using AAD authentication without OpenID

0
votes

I have created Azure Web App with AAD authentication.

But unable to read the Signed in User group details.

I have created web app/app registration Like this https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad.

Once the Web App authenticated application redirect https://contoso.azurewebsites.net/.auth/login/done

Once AAD user authorized. we need to pull the Group details (I Need MailNickName).

using (var httpClient = new HttpClient())
                     {
                         httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {Request.Headers["X-MS-TOKEN-AAD-ACCESS-TOKEN"]}");
                        var tenantId =  ClaimsPrincipal.Current.Claims.Single(x => x.Type == "http://schemas.microsoft.com/identity/claims/tenantid").Value;
                        var userId =ClaimsPrincipal.Current.Claims.Single(x => x.Type == "http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
                         var httpResponse =httpClient.GetAsync("https://graph.microsoft.com/v1.0/me/memberOf").Result;
                         httpResponse.EnsureSuccessStatusCode();
                         var jsonResult =await httpResponse.Content.ReadAsStringAsync(); 
                      /*  IUserMemberOfCollectionWithReferencesPage groups;
                        while (groups.Count > 0)
                        {
                            foreach (Group g in groups)
                            {
                                rol.Add(g.MailNickname);
                            }
                            if (groups.NextPageRequest != null)
                            {
                                groups = await groups.NextPageRequest.GetAsync();
                            }
                            else
                            {
                                break;
                            }
                        }
                        return rol.Where(x => x.Length <= 8).ToList();*/ 
                    }

Note : We are not using OpenID Connect.

I need the lsit of (g.MailNickname) for the Signed User. I got unauthorized error.

Thanks in Advance.

1
azureauthenticationazure-active-directoryazure-web-app-service
Without OIDC, what protocol do you want to use for sign in user? SAML or WS-Fed? For claims-based authentication, seems only SAML could be your choice. But I have no idea why not OIDC. And, you're trying to call MS Graph API, seems it's not possible not using OIDC in this scenario. BTW, I downvoted this question as it's not very clear.Wayne Yang

1 Answers

0
votes

You need to grant the application Directory.Read.All delegated permission and grant admin consent.

Find the application you registered on Azure portal->click API permissions->choose Microsoft Graph->Delegated permissions->check Directory.Read.All

enter image description here

Remember to click 'Grant admin consent' button.

Then change the additionaloginparams, the resource should be https://graph.microsoft.com. Refer to this article for more details(You can focus on configuring Web App to Ask for Access to Correct Resource part).