Configuring Authorization for Azure Web App with Azure AD Authentication

Using Azure AD Groups to Assign Permission Levels for Website

Question

Note: This question is part of a series of questions that present the same scenario.

Each question in the series contains a unique solution that might meet the stated goals.

Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it.

As a result, these questions will not appear in the review screen.

You are developing a website that will run as an Azure Web App.

Users will authenticate by using their Azure Active Directory (Azure AD) credentials.

You plan to assign users one of the following permission levels for the website: admin, normal, and reader.

A user's Azure AD group membership must be used to determine the permission level.

You need to configure authorization.

Solution: -> Create a new Azure AD application.

In the application's manifest, define application roles that match the required permission levels for the application.

-> Assign the appropriate Azure AD group to each role.

In the website, use the value of the roles claim from the JWT for the user to determine permissions.

Does the solution meet the goal?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B.

B.

To configure Manifest to include Group Claims in Auth Token 1

Go to Azure Active Directory to configure the Manifest.Click on Azure Active Directory, and go to App registrations to find your application: 2

Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it.

3

Locate the groupMembershipClaims setting.

Set its value to either SecurityGroup or All.To help you decide which: -> SecurityGroup - groups claim will contain the identifiers of all security groups of which the user is a member.

-> All - groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member Now your application will include group claims in your manifest and you can use this fact in your code.

https://blogs.msdn.microsoft.com/waws/2017/03/13/azure-app-service-authentication-aad-groups/

The proposed solution meets the goal of configuring authorization for a website that will run as an Azure Web App and allow users to authenticate using their Azure AD credentials, with different permission levels based on their Azure AD group membership.

The solution involves creating a new Azure AD application and defining application roles that match the required permission levels for the website. The appropriate Azure AD group is then assigned to each role. Finally, the website uses the value of the roles claim from the JSON Web Token (JWT) for the user to determine their permissions.

By creating an Azure AD application and defining application roles, the solution provides a way to manage permissions at a higher level, rather than having to define permissions for each user individually. This makes it easier to maintain and update the authorization settings for the website.

Assigning Azure AD groups to each role provides a way to automatically grant permissions to all members of a particular group. This helps ensure consistency and reduces the risk of errors that can occur when manually assigning permissions to individual users.

Using the value of the roles claim from the JWT for the user allows the website to determine the user's permission level based on their group membership, as defined in the Azure AD application. This provides a secure and efficient way to authorize users, without requiring them to provide additional credentials or perform additional steps to authenticate.

Therefore, the proposed solution is a valid approach for configuring authorization for a website that will run as an Azure Web App, allowing users to authenticate using their Azure AD credentials and providing different permission levels based on their Azure AD group membership. Therefore, the answer is A. Yes.