Published
Sep 06 2018 07:49 PM
61.2K
Views
First published on CloudBlogs on Dec, 18 2014
Howdy folks, Today I'm pleased to announce the preview release of two new features of the Azure AD authorization platform: group claims and application roles. As of Monday (12/15), 5565 third party and custom LOB applications (note: this number does not include the 2400+ SaaS apps in the Azure AD App Gallery) were being actively used with Azure AD and support for these additional claims is one of the top requests we've received from the developers of those applications. These features make it simple for developers to integrate access management of their cloud applications with groups in Azure Active Directory.
Howdy folks, Today I'm pleased to announce the preview release of two new features of the Azure AD authorization platform: group claims and application roles. As of Monday (12/15), 5565 third party and custom LOB applications (note: this number does not include the 2400+ SaaS apps in the Azure AD App Gallery) were being actively used with Azure AD and support for these additional claims is one of the top requests we've received from the developers of those applications. These features make it simple for developers to integrate access management of their cloud applications with groups in Azure Active Directory.
-
Groups claim : Group claims make it easy for custom applications to support sharing across groups of other users in an organization. These kinds of applications can now easily use the group information in Azure AD tokens to make it easy for users to share access with the people they work with, as represented by the groups in their organization's Active Directory. This simplifies sharing and access management by eliminating the need to manage group membership in multiple apps.
-
Application roles : Cloud applications can now use Azure AD for roles-based access control (RBAC). All developers need to do is declare a set of roles in Azure AD that the application needs for authorization. Admins of the customer's organization can then assign those roles to users and groups using the Azure management portal. At sign-in time, Azure AD determines what application roles are assigned to the user, and includes a roles claim in the token. Applications can inspect the token and use the roles claim to authorize the user. Administrators will love this feature because the data about who has what type of access to which application is all stored in one central place (Azure AD).
Groups Claim
When the groups claim is enabled for an application, Azure AD includes a claim in the JWT and SAML tokens that contains the object identifiers (objectId) of all the groups to which the user belongs, including transitive group membership.
Application Roles
The global administrator or the user administrator of an Organization can assign users and groups to applications in Azure AD. With this preview release, the assignment can be done to a specific role of the application. Today, users inherit role assignments only from direct group membership. In a future release we will enable assignment of application roles to users via nested group membership also.
See the new application roles sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet Read this deep dive post to learn how you can implement application roles for your app: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-usi... I hope you'll find these new feature useful for building applications! And as always, we'd love to receive any feedback or suggestions you have. Best Regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity and Security Systems Division
4 Comments