Riad Riad - 2 days ago 5
ASP.NET (C#) Question

How to check if a user that is in Azure Active Directory belongs to a specific group membership?

I was able to query the the active directory on Azure and bring the user information such as name, country, department, ... etc.

However, I would like to know the group that the user who logged in belongs to. The function that I am using to bring a user's info is like the following:

public IUser GetUserData()
{
string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

Uri servicePointUri = new Uri(graphResourceId);
Uri serviceRoot = new Uri(servicePointUri, tenantID);
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
async () => await GetTokenForApplication());

// use the token for querying the graph to get the user details
IUser user = activeDirectoryClient.Users
.Where(u => u.ObjectId.Equals(userObjectID))
.ExecuteAsync().Result.CurrentPage.ToList().First();

return user;
}


I tried to use 'activeDirectoryClient' variable that is inside GetUserData method to check if a user is a member of a group like the following:

bool d = activeDirectoryClient.IsMemberOfAsync("group1", userObjectID).Result.Value;


However, it did not work!!

I also found this solution here, took it, and customized it like the following:

public async Task<IList<String>> GetGroups(IUser user)
{
IList<String> groupMembership = new List<String>();

var userFetcher = (IUserFetcher)user;

IPagedCollection<IDirectoryObject> pagedCollection = await userFetcher.MemberOf.ExecuteAsync();
do
{
List<IDirectoryObject> directoryObjects = pagedCollection.CurrentPage.ToList();
foreach (IDirectoryObject directoryObject in directoryObjects)
{
if (directoryObject is Group)
{
var group = directoryObject as Group;
groupMembership.Add(group.DisplayName);
test.Text += group.DisplayName;
}
}
pagedCollection = await pagedCollection.GetNextPageAsync();
} while (pagedCollection != null);


return groupMembership;
}


I am using global variables that are stored in my web.config file

private static string clientId = ConfigurationManager.AppSettings["ida:ClientID"];
private static string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string graphResourceId = "https://graph.windows.net";


How can I check if 'user' has a group called 'group1'

Thanks!

Answer

Try using IUserFetcher.Memberof.

        ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
                async () => await GetTokenForApplication());


        IList<string> groupMembership = new List<string>();
        IUser user = activeDirectoryClient.Users.Where(u => u.ObjectId.Equals(userObjectID)).ExecuteAsync().Result.CurrentPage.ToList().First();
        var userFetcher = (IUserFetcher)user;

        IPagedCollection<IDirectoryObject> pagedCollection = userFetcher.MemberOf.ExecuteAsync().Result;
        do
        {
            List<IDirectoryObject> directoryObjects = pagedCollection.CurrentPage.ToList();
            foreach (IDirectoryObject directoryObject in directoryObjects)
            {
                if (directoryObject is Group)
                {
                    var group = directoryObject as Group;
                    groupMembership.Add(group.DisplayName);
                }
            }
            pagedCollection = pagedCollection.GetNextPageAsync().Result;
        } while (pagedCollection != null);
Comments