Check User是Azure AD Group的成员

时间:2014-11-07 16:59:58

标签: azure active-directory asp.net-mvc-5

我是Azure新手。我已将我的MVC 5网站发布到Azure。我有一个组名列表和他们在c#字典中的objectid。 AD组在Azure AD目录中创建。我试图找到登录用户是否是Azure AD组的成员。出于某种原因,我没有成功。当我使用GraphConnection.IsMemberOf()函数时,我收到NUllreferenceException。如果你们有人能帮我解决这个问题会很棒。

这是我的代码

try
            {
                var userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
                var authContext = new AuthenticationContext(String.Format(CultureInfo.InvariantCulture, loginUrl, tenant));
                var credential = new ClientCredential(clientId, appKey);
                var result = authContext.AcquireToken(graphResourceId, credential);

                var clientRequestId = Guid.NewGuid();
                var graphSettings = new GraphSettings
                {
                    ApiVersion = GraphConfiguration.GraphApiVersion
                };
                var graphConnection = new GraphConnection(result.AccessToken, clientRequestId, graphSettings);

                if (string.IsNullOrEmpty(this.adGroupObjectId))
                {
                    var groups = graphConnection.List<Group>(null, null);

                    if (groups != null && groups.Results != null)
                    {
                        var group = groups.Results.SingleOrDefault(r => r.DisplayName == adGroup);
                        if (group != null)
                            adGroupObjectId = group.ObjectId;
                    }
                }
                if (adGroupObjectId != null)
                    inGroup = graphConnection.IsMemberOf(adGroupObjectId, userObjectId);

                return inGroup;
            }
            catch(Exception ex)
            {
                var message = string.Format("Unable to authorize AD user: {0} against group: {1}", ClaimsPrincipal.Current.Identity.Name, adGroup);
                throw new Exception(message, ex);                
            }

1 个答案:

答案 0 :(得分:1)

Akhil,我们最近在Azure AD中启用了应用程序角色和组声明功能。根据您的情况,其中一个应该是合适的。

在此处快速浏览:http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx

深度帖子和应用角色视频功能在这里:http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/

群组声明功能的深潜帖子和视频位于:http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/

希望有所帮助。