I am working on a ASP.NET MVC 5 app which depends on multi-tenant authentication using Azure Active Directory. I have authorization setup globally by adding AuthorizeAttribute filter. Now I want the app to be accessible only by users who belong to particular Directory Roles (Global Administrators and User Administrators to be specific). What is the best way to enforce this?
Roles in the principal only contains app specific roles. I was hoping that one of the identity claims would certify standard directory roles. But only claim that is relevant is the "groups" claim that tells me what Directory Roles AND Application Groups the user belongs to. I then need to query each group object ID to see if one of them is a Directory Role I want to allow.
Also, is there a way to do this globally by adding it as a filter?