Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it.
As a result, these questions will not appear in the review screen.
You are developing a website that will run as an Azure Web App.
Users will authenticate by using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal, and reader.
A user's Azure AD group membership must be used to determine the permission level.
You need to configure authorization.
Solution: -> Create a new Azure AD application.
In the application's manifest, set value of the groupMembershipClaims option to All.
-> In the website, use the value of the groups claim from the JWT for the user to determine permissions.
Does the solution meet the goal?
Click on the arrows to vote for the correct answer
A. B.A.
To configure Manifest to include Group Claims in Auth Token 1
Go to Azure Active Directory to configure the Manifest.Click on Azure Active Directory, and go to App registrations to find your application: 2
Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it.
3
Locate the groupMembershipClaims setting.
Set its value to either SecurityGroup or All.To help you decide which: -> SecurityGroup - groups claim will contain the identifiers of all security groups of which the user is a member.
-> All - groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member Now your application will include group claims in your manifest and you can use this fact in your code.
https://blogs.msdn.microsoft.com/waws/2017/03/13/azure-app-service-authentication-aad-groups/Yes, the solution meets the goal.
The solution involves configuring authorization for a website that runs as an Azure Web App and authenticates users by using their Azure AD credentials. The goal is to assign users one of the permission levels (admin, normal, and reader) based on their Azure AD group membership.
To achieve this, the solution proposes creating a new Azure AD application and configuring the groupMembershipClaims option to All in the application's manifest. This setting allows the application to receive the groups claim in the JWT token that is issued when a user authenticates with Azure AD. The groups claim contains a list of security groups that the user is a member of.
The second step in the solution is to use the value of the groups claim from the JWT token to determine the user's permissions in the website. This is achieved by checking the user's group membership against a predefined list of groups and assigning the appropriate permission level based on the match.
Overall, this solution is a valid approach to configuring authorization for a website that uses Azure AD for authentication and requires different permission levels based on the user's group membership. By configuring the groupMembershipClaims option to All, the solution ensures that the website receives the necessary information to make the authorization decisions. Using the groups claim from the JWT token simplifies the process of checking the user's group membership and assigning the appropriate permission level.