I'm trying to get Microsoft.Graph working within AspNetZero. I have OpenIdConnect authenticating against ADD and that is working well. A futher enhancement is some more integration with ADD for controlling access.
The requirement I have is to use a group in ADD that can allow or grant access to the application. So if a user wants to access the application the requirement is that they are part of a group in ADD. The reason for this is that our application will be in a corporate environment and the administration of users will be left to tenant administrators who are most likely system administrators within their organisation. For on-boarding new users a preferred workflow would be for a system administrator to assign a user to a group in ADD and instruct the new user that they can self register for access. In the opposite manner a user leaving the company could just be removed from the ADD group and then their access to the application will be removed.
The solution I am trying to implement is using Microsoft.Graph. I'm new to using Microsoft.Graph but I have followed through instructions from Microsoft and everything seems in order except that I am getting messages about not having permissions. I have all the API permissions setup in Azure that I should require but still cannot seem to find a simple way to connect.
I've got two questions regarding what I am trying to do.
- Is there a better way of accomplishing access being controlled through ADD groups?
- Is there any information in the solution about how to integrate with Microsoft.Graph? The ADD group stuff aside I could see being able to integrate with this service being of high value and I wonder if there is a way to create some more support within the application itself to setup.
Any advice is appreciated.
Instead of making this restrcition via Microsoft Graph, you can try to restrict in on Azure AD side, see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#assign-users-and-groups-to-the-app. Would that work for you ?
If that doesn't work for you, could you share the error message you are getting ?