0
votes

I'd developed an Azure WebApp with AAD authentication. Anyone who has valid AD credentials can access this web site, at least the home page. Some other pages have security check based on the user groups that this log on user has. So here is what happen right now:

  • Browser go to https://xxx.azurewebsite.net/home.html
  • immediately redirect to AD login page
  • after password checking browser back to home page. JWT tokens contains first name, last name, email, as well as a list of User Groups this user has
  • click to different page (e.g. edit a form data) will check user group first, and kick you back to home page if requirement not met.
    • So anyone who has a valid AD account (i.e. all corporate employees) can see the home page.
    • The administration of User Group assignment is by corporate AD. So we has something like IT_GROUP, FINANCE_GROUP, WAREHOUSE_GROUP, etc.

Okay. In reality only small group of our staff need to use this web app, mostly only the manager of each group can have access.

So I add an Application Role, called "XXXUSER", in the manifest, and then assign each manager to this Application Role.

Next, I want to use this Application Role to stop people from access this webapp who don't have this role.

In this scenario, is it possible to stop people who don't have this application role from seeing the home page ?

I'd seem some site can give "AADSTS50105: The signed in user is not assigned to a role for the application" error after AD login. It's something I want to implement but not sure how it works.

1
you need to query Azure AD and get user roles during the login process.Thiago Custodio

1 Answers

0
votes

Please follow the steps below.

Navigate to the Azure Active Directory in the portal -> Enterprise applications -> search for the name of your AD App(select Application Type with All Applications ) -> click your App -> Properties -> set User assignment required to Yes.

After the setting, the user who log in your App need the Application role that you assigned, otherwise, he will get the error like you mentioned.