>> [music] >> Hey, guys, thank you
so much for stopping by for another video. My name is
Yoel Horvitz. I'm a Program Manager with the Microsoft
Security Customer Experience Engineering team. >> My name is Katherine
Legg and I'm a Product Manager in the Developer Experience
team. In today's video, we will talk about authorization
and role-based access control in Azure Active
Directory for customers. We'll start with
a quick overview of role-based
access control and how it can help you protect
access to your applications. We'll demonstrate the user
experience using the Woodgrove demo web application. And
finally we'll show you how easy it is to configure
role-based Access control
using the Microsoft Entra Admin Center. Role-based access control
is a popular mechanism to enforce authorization
and applications. It helps you manage who has access to
your application and what they can do in the application. When an organization uses
role-based access control, an application developer defines the roles
in the application. An administrator can then assign
these roles to different users, which controls who has access
to the application and what they can do with it. Developers
can also use security groups to implement role-based access
control in their applications, where the memberships of
the user in specific groups are interpreted as their
role memberships. Azure Active Directory for
customers issues an access token for an authenticated user,
which includes the names of the roles they have assigned
to the application and all the groups the user is a member of. Developers have the flexibility
to decide how role and group assignments are to be
used within the application, for example, show or hide
some of the elements on the screen or block access to
certain functionalities based on the user's role
or security groups. Let me hand you over to
Yoel, who will show you how role-based access control
changes the functionality of the Woodgrove Groceries
demo application. >> Thank you, Katherine.
Woodgrove Groceries is a global retail food store
that is integrated with Azure
Active Directory for customers for their online
food shopping application. Get started by navigating
to Woodgrove Grocers demo application at wdgdemo.net. From there, select the Sign-in
button. Sign in or sign up with your social
or local account. In this demo, we sign in
with the Facebook account. After the user signs in, their
name appears in the header and they can add
item to the cart. Woodgrove Groceries demo
application allows you to add yourself to a security
group and application roles. From the
header, select the profile icon. In
the profile page, you can update your profile
data, but you can also add yourself to commercial account
security group. By doing so, you will get discounts
of some of the products. Usually administrator needs
to approve your request, but for this demo your request
is automatically approved. Select the Commercial Accounts
security group and update your account. To reflect the
change in the security token returns to the Google
application, sign out and sign in again
with the same account. Great. Now that you are a
member of the Commercial Security group, some of
the items have a discount. Let's move on and
update your profile again. This time, add yourself
to the Product Contributor and Orders Manager roles.
The Orders Manager role grants you access to manage
customers' online orders, and the Products Contributor
role grants you access to manager Woodgrove
products. Select both of them and save the changes. Sign out and sign in again
with the same account. Now you have the option to
manage the Woodgrove products and the customers' orders. If you select your name from
the editor, it shows the content of the access token issued
by Azure Active Directory for customers that was returned
to the Woodgrove application. As you can guess, it contains
a groups claim and two roles you assigned. This demo application checks
the claims value and gives you discounts and
access to the manage products and online orders. >> Now that you understand
the user experience and how the application can change
its behavior, let us show you how easy it is to implement
role-based access control in your application. We start by configuring the
application to emit the security groups users are members of. We do so
only to the security groups. Application roles are
included in the security tokens by default. Open the
Microsoft Entra Admin Center at entra.microsoft.com and sign in
with your administrator account. From the menu,
select Applications and then App
registrations. Select All
applications and then from the list
of applications, select your application.
Select Token configuration and then select
Add groups claim. Select Security groups. You
can select the format for how security groups are
represented in the access token and ID tokens. Select
Add to save all the changes. To add a user to a security
group, you can select Groups from the menu and
then select All groups. Then select the group
you want to add the user to. In this demo, we select
the Commercial Accounts. Select Members. Select Add members. And select the users you
want to add to this group. Next we add two roles
to the applications. From the menu,
select Applications and then App
registrations. Select All
applications and then from the list
of applications, select your application. From
the menu select App roles and then select
Add app role. Enter a display
name for the role. Select users and groups, so
you can assign both of them to your
application. For the value, enter the
name of the role, add a description, then
select Apply to save changes. Add a second role. Good, we are all set. Now you can assign users
with the application roles. From the application Overview,
select the application name which takes you to the service
principle of your application. From the menu, select Users
and groups, then select Add users or groups. Select the
user you want to assign a role to this application, then select the role you
want to assign to the user. And select Assign to
complete the process. You can assign
more roles to the user. To do
so, repeat this step, but this time select
the other role. That's it. Now when the user
signs in, they will have both the groups and roles
claimed with the security group and application
roles we just added. >> To quickly recap, in this
demo we started with a quick overview of the role-based
access control and how it can help you protect access
to your applications. We demonstrated the user
experience using the Woodgrove demo web application. And
finally, we showed you how easy to configure role-based
access control using Microsoft Entra Admin
Center. You can also automate the
role assignment and group membership
process by using Microsoft Graph API or PowerShell script. >> To learn more about Azure
Active Directory for customers, discover the
latest updates, developer content,
and resources, go to aka.ms/ciam/dev. Thanks for watching this
video and we'll see you in the next one. Goodbye. >> [music]
