Azure AD and Authorization Extension - how do I use claims from Azure AD?

Hello!

We have a simple frontend (Vue) and backend (.NET Core) app without further API integrations. We use Auth0 and Authorization Exenstion to manage users as well as groups/permissions. Via a rule we add a custom email claim as well as the AE permissions needed to the “scopes” claim so that the .NET backend can pick them up from the access token and use it for authorization. It works well.

We’re trying to make it possible for our customers to connect with their own ADs and have set up the basic enterprise connection to Azure AD, which also works. The user logs in with their enterprise email and get authenticated that way.

However, we’re not sure how to approach the scopes and permissions topic. In short, say that we have two custom permissions via Authorization Extension, myapp:user and myapp:admin as random examples. How can we replicate those permissions in the integrated ADs, so that the permissions 1) can be assigned to the users by the AD admin (via groups probably) and 2) get attached to the scope claim when the user has logged in?

We’ve experimented with the roles/groups/permissions passthrough options in AE, but the problem seems to be that while Azure AD supports custom roles, custom permissions seems to be another thing and maybe not what we’re looking for? In particular, I’d imagine the possibility to add a custom groups “MyApp Admins” with one or several custom permissions (myapp:admin) from the example above but that does not seem to be possible.

After some experimentation, going with Azure AD groups rather than roles and permissions seems to be an option. I’ve made the groups pass through to the Auth0 user object and I assume I could use rules to transform it into claims. Something line:

1. In Azure AD, have users be members of either MyAppAdmins or MyAppUsers groups
2. Use IDP group passtrough in Authorization Extension
3. With rules, check if the user is a member of these groups
4. Example: If member of MyAppAdmins, use rules to add the myapp:admin scope to the access token so that it matches what is done in the AE username/password case

Would that be a good idea? I’m not fond of having to match groups and translate them to claims “manually” in rules using string matching, but perhaps that’s the way to do it and keep the current behavior and scope names as they are.

Update:
Another, similar but perhaps more logical approch would be using AD “App Roles”. They seem to work with AD users and groups, so that a user can be part of a group which in turn, for our app only, is assigned a certain role which we then could check using a rule and translate to a claim. We probably don’t want to use the string values from the AD right off the bat, as we don’t want AD admins to grant their users any sort of superadmin powers or similar.