asp.net-coreazure-active-directoryauthorizationmicrosoft-entra-id

Permission based access control using Entra ID with ASP.NET core


I'm designing a permissioning system for a new ser of services that my team is creating. It is the first time that I'm doing this with a client who is using Entra ID for their authorization management. In the past I have dealt with clients where this was managed using hand rolled UIs.

I want the system to be Permission Based Access Control rather than Role Based Access Control. Consider a scenario where I have the trader.senior and trader.junior roles. I have already created these as App Roles against my application in EntraId, and assinged them to my test users. However this requires me to securing my /executeTrade endpoint with an [Authorize(Roles = "trader.senior, trader.junior")].

I want to be able to do [MyCustomAuthorizaion(permission = "trade.execute"]. This means I need to create a permission called trade.execute and assign that permission to both the trader.senior and trader.junior role.

However, I have not been able to figure out how to set this up on Entra ID. Is it not possible, or am I simply looking in the wrong place? Should I be taking a different approach entirely?

Alternate approaches I have considered:


Solution

  • Note that: Microsoft Entra ID does not support permission-based access control in the way you described, where permissions are directly assigned to roles. You will need to implement a custom solution to achieve this functionality.

    Otherwise as mentioned by you, you can make use of Entra Groups to manage permissions:

    Create a group:

    enter image description here

    Create the app roles in the Microsoft Entra ID application based on your requirement:

    enter image description here

    And assign the roles to the groups in the Enterprise application:

    enter image description here

    enter image description here