0

I'm trying to figure out the best way to accomplish using Azure Active Directory Security groups to manage role assignments for an API. I'm trying to evaluate a few different options as well as poll to see what others were doing as solutions.

Option 1 - Include roles in the token claims

  • As far as I can see this would be best performance.
  • Azure App registrations can accomplish this, but it doesn't apply to nested groups, so you'd have to flatten groups or assign all nested groups. (running jobs to keep it up to date)
  • Access expires when the token expires. (unless you blacklist, but that would cost performance)

Option 2 - Call Microsoft Graph API with getMemberGroups

  • Returns transitive groups, so you'd only need to look for the parent groups.
  • You'd need to store a list of all the parent groups and the roles they map to.
  • Returns up to 2046 groups.
  • Would probably require caching the groups for performance.
  • Access expires when the cache expires.

Option 3 - Call Microsoft Graph API with checkMemberGroups

  • Checks transitive groups, so you'd only have to search for parent groups.
  • You'd need to store a list of all the parent groups and the roles they map to.
  • Checks a max of 20 groups at a time.
  • Would probably require caching the checked groups for performance.
  • Access expires when the cache expires.

These are some of the options I found, I'm wondering how would you do this? I also noticed that many of the Microsoft Apps, such as Azure Portal or Teams, do not have role claims on the token. Is there a best practice / industry standard around this?

lennon310
  • 3,132
  • 6
  • 16
  • 33
Luke Gaskell
  • 9
  • 1
  • As far as I know, option 1 would be the best option – Ishan Shah Feb 01 '21 at 04:20
  • 1
    What are your availability requirements? Is it acceptable that your service becomes inaccessible if the Active Directory API becomes unreachable? – Bart van Ingen Schenau Feb 01 '21 at 07:13
  • @BartvanIngenSchenau It would be acceptable for it to become inaccessible, but if you have a solution otherwise I'd be interested in hearing that too! – Luke Gaskell Feb 01 '21 at 14:15
  • @LukeGaskell, in Option 1, you are only dependent on the Active Directory API during authentication and all interactions after that can continue to work even when the API is down. In the other options, each interaction is dependent on the API being available. – Bart van Ingen Schenau Feb 01 '21 at 15:21
  • @BartvanIngenSchenau I do believe option 1 is the best... I guess I was more of asking if there were other solutions that I have not considered for using Azure Security Groups to manage roles. If that is something you've done, how'd you do it? – Luke Gaskell Feb 01 '21 at 16:11

0 Answers0