We talked about implementing AD single sign-on authentication to our sales administrator website, but because we're going to use the Azure Bakery AD across all the business domains, we need to add groups so that we have better control over users in the different business units. Azure AD doesn't currently allow addition of new roles or custom roles; there are a number of built-in administrator roles; however, we have full control over groups, so we can use them for authorization.

Unfortunately, authorization isn't as simple as just using the Authorize attribute with a role, as you would with ASP.NET roles; we need to query the Azure AD Graph API to check whether a user is a member of the group. We'll add a sales group to the Azure Bakery AD, and then implement a custom AuthorizeAttribute to query the Azure AD Graph API using the Azure AD Graph client.

We're going to use the Azure AD PowerShell module to modify the AD application service principal later...