Handling security in Azure AD for a spa Sharepoint online app

0
votes

We have build a front facing single page application for Sharepoint online. Security is synced to sharepoint with AAD security groups. But at the moment we are facing a lot of issues, because we have to many Azure AD security groups created for it.

The app is a web portal has two kind of users:

  • Customers (guest users in AAD)
  • Employees (our AAD empoloyees)

Each Customer has is hown Sharepoint Online Site with security groups synced from AAD.

We defined some Customer Roles (Finance Director, Hr Director, IT,..) And some Employee Roles for each Customer. (CUST_000000_AccountManager, CUST_000000_Invoicing, CUST_000000_Employee). 00000 stands for the customer id. So our employees have a lot of security groups defined in Azure AD.

In summary, it means that for each customer there are 20 security groups in AAD. These security groups are synchronized to our 200+ employees and 8000 customers. 28 000 000+ groups in total...

Due to the large number of groups per employee, we are now experiencing many problems.

What's best practice to handling this kind of specific security? Handling the security in a separate DB or use multi tenancy as a solution for this...

Thanks in advance.

1
azure-active-directorysharepoint-onlinemulti-tenant
Hi did you check my answer? Is it helpful?Allen Wu

1 Answers

0
votes

What you are looking for is Group-based Authentication.

You can configure the Azure AD Application Registration for group attributes. You just need to modify the "groupMembershipClaims" field in application manifest:

"groupMembershipClaims": "SecurityGroup"

Then the token will contain the Ids of the groups that the use belongs to like below :

{
  "groups": ["group id"]
}

This method has a limitation that:

To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership. In this case, you only get back an overage indicator claim like hasGroups telling you that user is part of many groups and you should call graph api to get the list of all groups.

Using Microsoft Graph user: getMemberGroups to check the groups the user is a member of.

And if you are using implicit grant flows for your SPA, you have to check hasGroups claim because groups claim doesn't return in this case.

For other details you can check with the two SO Post:

How to check if a user is in an AD group via Azure AD?

How to validate if user is part of group in Azure AD?