// You Could use [Authorize(Roles=)] Tags here instead of IsInRole below
public ActionResult GetUserGroups()
{
var usergroups = new List <UserGroup>();
ViewBag.GetGroupsStatus = "";
// It is up to the application to ensure that only admins can read groups.
if (!User.Identity.IsAuthenticated || !User.IsInRole(RocRole.Admin))
{
ViewBag.GetGroupsStatus = "You must sign in as an admin to view Groups.";
return(View(usergroups));
}
try
{
// Get a token for the Graph API in the context of the user's tenant. Admins from hospital A can't see groups in hopital B.
ClientCredential cc = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientId"], ConfigurationManager.AppSettings["ida:AppKey"]);
IClaimsIdentity ci = User.Identity as IClaimsIdentity;
Claim tid = ci.Claims.Where(c => c.ClaimType == "http://schemas.microsoft.com/identity/claims/tenantid").First();
AuthenticationContext authContext = new AuthenticationContext(String.Format(TenantConfig.authorityFormat, tid.Value));
AuthenticationResult ar = authContext.AcquireToken(TenantConfig.graphResourceId, cc);
HttpClient httpClient = new HttpClient();
string graphRequest = TenantConfig.graphEndpoint + tid.Value + "/groups?api-version=" + TenantConfig.graphApiVersion;
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, graphRequest);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", ar.AccessToken);
HttpResponseMessage response = httpClient.SendAsync(request).Result;
if (response.IsSuccessStatusCode)
{
JavaScriptSerializer jss = new JavaScriptSerializer();
string serializedJson = response.Content.ReadAsStringAsync().Result;
GraphGroupResult ggr = jss.Deserialize <GraphGroupResult>(serializedJson);
foreach (Value group in ggr.value)
{
usergroups.Add(new UserGroup
{
Id = group.objectId,
Name = group.displayName
});
}
}
else
{
throw new WebException(response.Content.ReadAsStringAsync().Result);
}
}
catch (Exception ex)
{
// A tenant admin needs to sign up for the app and grant it permission (via consent) before it can write to a tenant.
if (ex.Message.Contains("Authorization_IdentityNotFound"))
{
ViewBag.GetGroupsStatus = "Your admin needs to sign in once before you can get groups.";
}
ViewBag.GetGroupsStatus = "An error occurred when getting groups: " + ex.Message;
}
return(View(usergroups));
}
protected void btn_getUserGroup_Click(object sender, EventArgs e)
{
GetGroupsStatus.Visible = false;
if (!User.Identity.IsAuthenticated)
{
Response.Redirect("/Account/Login");
return;
}
try
{
// Get a token for the Graph API in the context of the user's tenant. Admins from hospital A can't see groups in hopital B.
ClientCredential cc = new ClientCredential(ConfigurationManager.AppSettings["ida:ClientId"], ConfigurationManager.AppSettings["ida:AppKey"]);
IClaimsIdentity ci = User.Identity as IClaimsIdentity;
Claim tid = ci.Claims.Where(c => c.ClaimType == "http://schemas.microsoft.com/identity/claims/tenantid").First();
AuthenticationContext authContext = new AuthenticationContext(String.Format(TenantConfig.authorityFormat, tid.Value));
AuthenticationResult ar = authContext.AcquireToken(TenantConfig.graphResourceId, cc);
HttpClient httpClient = new HttpClient();
string graphRequest = TenantConfig.graphEndpoint + tid.Value + "/groups?api-version=" + TenantConfig.graphApiVersion;
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, graphRequest);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", ar.AccessToken);
HttpResponseMessage response = httpClient.SendAsync(request).Result;
if (response.IsSuccessStatusCode)
{
List <string> groups = new List <string>();
JavaScriptSerializer jss = new JavaScriptSerializer();
string serializedJson = response.Content.ReadAsStringAsync().Result;
GraphGroupResult ggr = jss.Deserialize <GraphGroupResult>(serializedJson);
foreach (Value group in ggr.value)
{
groups.Add(group.displayName);
}
lst_UserGroups.DataSource = groups;
lst_UserGroups.DataBind();
}
else
{
throw new WebException(response.Content.ReadAsStringAsync().Result);
}
}
catch (Exception ex)
{
// A tenant admin needs to sign up for the app and grant it permission (via consent) before it can write to a tenant.
if (ex.Message.Contains("Authorization_IdentityNotFound"))
{
GetGroupsStatus.Text = "Your admin needs to sign in once before you can get groups.";
GetGroupsStatus.Visible = true;
GetGroupsStatus.ForeColor = Color.Red;
return;
}
GetGroupsStatus.Text = "An error occurred when getting groups: " + ex.Message;
GetGroupsStatus.Visible = true;
GetGroupsStatus.ForeColor = Color.Red;
return;
}
}