Using AAD Group

[lune94]

In a context of a web app I am using this library in order to authenticate my users via Azure Active Directory. I'd like to filter the access to pages according to AAD groups a user belongs to. Example : /index accessible only for members from AAD group 'project_users' /admin accessible only for members from AAD groups 'project_contributor' and 'project_admin'

Does this library allow to do that ?

Regards

[rayluo]

@navyasric pointed out that we did not document this scenario in our docs, though a Java sample did that. This Python web app sample does not currently provide such behavior out-of-box.

Perhaps you can look into the claims of the id token acquired by MSAL, probably with some additional claims, and then use its "groups" claim to decide whether your web app would serve/reject the request.

[rayluo]

@lune94 We do not currently have a Python web app sample for that, but this ".Net web app using groups" sample and this video "Using Security Groups and Application Roles in your apps" will give you a good understanding on the details.

[RyanPicco]

@lune94 Though I'm not using groups in this exact way, you can define app roles in the manifest

So after defining the roles you can assign roles to your users (or in your case groups) which are allowed access, then their role will be returned in id_token_claims as "roles", from there you should be able to gate access based on their role value being in a list of acceptable roles, you could write this into a decorator /w args for easy application to each endpoint.