0
votes

I have added an Azure Active Directory Identity Provider to my APIM (from an AAD in a different tenant).

I have used that to successful add an Azure Active Directory Group to my APIM.

I now want to check if the user is part of that group.

When I use APIM Users/Groups I can do that check with this policy, but when I use Active Directory this policy always fails with a 401.

<policies>
    <inbound>
        <choose>
            <when condition="@(context.User.Groups.Select(g => g.Name).Contains("org1"))">
                <set-backend-service base-url="https://abc-apim.azure-api.net/org1app" />
            </when>
            <when condition="@(context.User.Groups.Select(g => g.Name).Contains("org2"))">
                <set-backend-service base-url="https://abc-apim.azure-api.net/org2app" />
            </when>
            <otherwise>
                <return-response>
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Bearer error="Invalid user group"</value>
                    </set-header>
                </return-response>
            </otherwise>
        </choose>
        <base />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

What should the policy look like to check if the user belongs to a group in Active Directory?

1

1 Answers

0
votes

APIM will not pull in all AAD groups by default. The only way to have access to AAD group membership in APIM is to add AAD group to APIM: https://docs.microsoft.com/bs-cyrl-ba/azure/api-management/api-management-howto-aad#add-an-external-azure-ad-group That way you'll create mapping between APIM group and AAD group.