Not sure if this has been asked before. I searched around but didn’t find anything.
Would this be possible? I’m trying to build a webapp for different departments to log into and see their own subscription information and the resources they have access to.
Welcome to the forums !
It is indeed possible.
You can filter who can view which pages by using the -AuthorizationPolicy and -AuthorizedRole on your pages.
Here’s an example with Oauth (Azure in this case) group filtering applied.
If you want to filter out whole pages, when defining your dashboard, you would do something like this :
$AuthorizationPolicy = New-UDAuthorizationPolicy -Name "SuperAdmin" -Endpoint {
param($User)
$User.HasClaim("groups", "02934b66-10a9-420a-1110-a01923045")
}
Then, you’d apply them to your dashboard upon creation.
$MyLogin = New-UDLoginPage ... -AuthorizationPolicy $AuthorizationPolicy ...
New-UDDashboard -LoginPage $MyLogin ...
To filter UDPage out to some users only, you would then create your new-udpage the New-UDPage -AuthorizationPolicy ‘SuperAdmin’ parameter (SuperAdmin correspond to the choosen name and apply the custom condition, in this case, based on a Azure group membership claim, to your dashboard.
I’ll leave at the bottom a link to a “claims viewer” page that can help view the claim of the connected user to create those.
The other filtering you can perform is in the UDPage itself.
You can do something like :
$IsInSuperAdminGroup = $ClaimsPrinciple.claims.value.contains('16cca29e-f53e-4260-8181-74b11f2b70b1')
if ($IsInSuperAdminGroup) {
New-UDCard -Title 'Hey you' -Text 'You are a super admin !'
}
In this instance, the ud card would be shown only to users matching the specified claim (group membership or role) criteria.
Some documentation on the subject.
https://docs.universaldashboard.io/security/authorization/claims-based
https://docs.universaldashboard.io/how-to/get-the-user-email-address-when-using-oauth
A helper page I made that displays the claims
Edit:
Regarding filtering within a page, I also found the following dedicated method :
$Policies = Get-UDAuthorizationPolicy
if ($Policies -contains 'Administrator') {
New-UDCard -Title 'Administrator' -Content {}
}
It is even better than the first method I proposed altough on my end, I have an error message when I use it which might or might not be a bug in 2.5. Neverthless, both methods are valid ways to filter your page.
I also forgot to mention but by default, an Azure app. do not return group membership into claims.
In order to enable that scenario, you will need to login on the Azure portal, then go to Azure Active Directory blade / App Registrations / Your app / Manifest and set the value for groupMembershipClaims to SecurityGroup
"groupMembershipClaims": "SecurityGroup",
Only then you will receive the group membership of your user within the claims and become able to create your policies that use the groups based claims.
Hi itfranck,
Thank you for showing me the claims membership. I’ve actually already used that before for another project I was working on 
What I’m looking to do is request the right token for the graph or azure api so I can retrieve things like resource groups, resources and subscriptions in an Azure tenant that the current user would have access to and then display things like cost, locations, policies, etc.
Let me know if that makes sense at all.
Thanks,
kp
Oh, I understand.
I did some research and it looks like UD does not return the authorization JWT beared header, which would contains the needed information.
If it did (it’s configurable in the .net server side of things, you could use :
$JWtToken = '???'
$Response = invoke-restmethod -Method Get -Uri 'https://graph.microsoft.com/v1.0/me/' -Headers @{'Authorization' = "Bearer $JwtToken" }
A workaround would be to use an application permission to act on behalf of all users and then build your URL accordingly.
$CurrentUser = "$(($ClaimsPrinciple.claims | where type -eq "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" ).Value)"
$Url = "https://graph.microsoft.com/v1.0/users/$CurrentUser"
$Response = invoke-restmethod -Method Get -Uri $uri -Headers @{'Authorization' = "Bearer $JwtToken" }
Possibly one of the cookies contains that information but at first view, it looks like there’s no way to decrypt UD cookie with the provided tools.
Meanwhile, I created an enhancement request on the official project.
That’s definitely something I would like to use.
Yeah I was afraid of that. I’ll try the workaround and report back! I’d like to be able to make something I can use for different customers but with one page.
Thank you though! I appreciate your knowledgeable post!