-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add requirement for denying guest users #2179
base: master
Are you sure you want to change the base?
Conversation
/// Implements an <see cref="IAuthorizationRequirement"/> | ||
/// which requires the current user to be a member of the tenant. | ||
/// </summary> | ||
public class DenyGuestsAuthorizationRequirement : IAuthorizationRequirement |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not locked on the naming of this. I see many requirements are prefixed with Require
, but RequireTenantMembers
or RequireNonGuests
sounds weird and isn't as explicit in what it tries to achieve.
@microsoft-github-policy-service agree |
8a2e238
to
1b0f918
Compare
Signed-off-by: Thorstein Løkensgard <[email protected]>
1b0f918
to
1ae9fe3
Compare
Mind sharing your thoughts? This is how we've done it internally for now, but we'd love to hear the plans for actual implementation in the SDK or even Azure itself. |
As a developer, I expect to be able to easily allow all members of a tenant to access my application, without needing to set up roles and manual assignment.
However, Azure AD allows for guest users, that applications like Teams rely on. These guest users will then by default have access to applications that doesn't have any roles, but still only should be accessible by tenant members.
This PR introduces the
DenyGuests
extension toAuthorizationPolicyBuilder
, which easily lets the developer deny guests users access to their applications with policies.I think that many enterprise application would want this behavior by default, and without it, the application would be exposed to some vulnerabilities.
//cc @loekensgard @JonasKs