AspNetCore.Docs
AspNetCore.Docs copied to clipboard
dotnet
Microsoft Entra (ME-ID) groups, Administrator Roles, and App Roles Clarification
Description
In the 'Scopes' section, can clarification be provided to these statements:
- A CLIENT app is configured with the User.Read scope (https://graph.microsoft.com/User.Read) in the Azure portal.
- A SERVER app is configured with the GroupMember.Read.All scope (https://graph.microsoft.com/GroupMember.Read.All) in the Azure portal.
Are these Delegated or Application permissions?
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/microsoft-entra-id-groups-and-roles?view=aspnetcore-7.0#scopes
Page URL
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/microsoft-entra-id-groups-and-roles?view=aspnetcore-7.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md
Document ID
4088c5ca-39c2-9bed-ebc5-683d3441b615
Article author
guardrex
🎃 Happy Halloween! 🧟
A green dinosaur 🦖 will be along shortly to assist. Stand-by ........
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @philip-reed ... IIRC either will work depending on how you want to set up the permissions. Typically, one wouldn't want the users to have more permission than they need (i.e., least privilege), so the GroupMember.Read.All permission would typically only be granted to the app (the Server app), not delegated to the users, and only if the Server app has to use the Graph SDK for some purpose. Truly tho, I'm not a security expert, and I don't recall further details on it. We cross-link the Graph permissions doc and try to let them (the experts on it) cover as much as they can for us ...
https://learn.microsoft.com/en-us/graph/permissions-reference
I'll research it further and add remarks to the topic on this subject, but I'm a buried in .NET 8 work at the moment. I'll get back to this as soon as I can, but it might not be until 24Q1.
No worries, thank you for responding so quickly.
IMO the cross-linking often adds some confusion, especially if there is anything ambiguous or contradictory.
For example, the documentation page cross-links off to the following: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/graph-api?pivots=graph-sdk-4&view=aspnetcore-7.0
Where there is a statement:
After adding the Microsoft Graph API scopes in the ME-ID area of the Azure portal
But this page doesn't know which page I came from or what scopes are already added, are these the same API Scopes from the previous page? In a Hosted Blazor scenario, is this talking about the client or the server App Registration?
I'm not asking for answers on the above, these are just bits of the documentation I found ambiguous, and I had to go over them more than I expected to try and clarify what was being said. But that could just be my tired brain on a Friday.
For the Client app, I believe it will be delegated permission for Graph in the portal. Users will be assigned whatever Graph permissions that they're supposed to have, and Graph calls made on their behalf only give them access for their least privileged access.
For the Server app, I vaguely recall that it's application permission for GroupMember.Read.All to read the Azure App Roles ... maybe 🤔😄. It's been several years, so I'm a bit fuzzy on it. I wish I would've said a bit more on that one when I was writing this up.
I'll need to get back to this due to the high priority .NET 8 work. I suggest in the meantime that you try the guidance confirming that the Client app (if you're working with a hosted WASM solution) has Graph delegated permission, which I think is added by default with an app registration. If you're going to work with the Azure App Roles ...
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/microsoft-entra-id-groups-and-roles?view=aspnetcore-7.0#app-roles
Try it without giving the Server app anything further than its default User.Read delegated Graph permission. That's provided by Azure when the Server app is registered. See if that works first.
If it turns out later that GroupMember.Read.All for the Server app is required via application permission for Graph (and I'm referring to when you're only adopting the Azure App Roles guidance), then I'd like to chat with Jean-Marc, who knows quite a bit more than I do, to confirm that application permission is correct in that scenario.