This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 73%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I am new to Microsoft Identity Platform and want to get an idea of best practices and guidelines on Roles, Claims, and Policies. I have watched the videos from Matthijs Hoekstra (MSFT Microsoft Identity Platform Team) and the 'ASP.NET Core Authorization with Barry Dorrans'.
Our OData Web Api has 150+ controllers and most controller actions are CRUD (GET, POST, PATCH, and DELETE). We currently have 20 client apps that access our system. Currently our custom AuthZ logic handles 500+ claims and maps claims to roles via below snippet.
foreach (var role in roles) {
identity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", role));
Our controller actions look something like this...
[Authorize(Roles = "AccountGet")]
public async Task<IActionResult> Get() {}
[Authorize(Roles = "AccountPost")]
public async Task<IActionResult> Post([FromBody] Account account) {}
[Authorize(Roles = "AccountPatch")]
public async Task<IActionResult> Patch([FromRoute] int id, [FromBody] Delta<Account> account){}
How should we setup Roles/Claims/Policies using Microsoft Identity Platform in such a way that the current authorization capability still works?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
If you haven't already, I would recommend checking out the role claims Github sample for .NET Core, which goes over the best practices and implementation. https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles
Thank you. We decided to implement this using custom AuthorizationRequirement and AuthorizationHandler with a default Policy. We keep app-level permissions in SQL db and mapping permissions to AD Roles in the Authorization Handler.
Thanks for following up!