Role script doesn't seem to be working

Ok, so I created a custom role and I put this script into it.

param(
[Security.ClaimsPrincipal]$User
)
        
<# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>
Import-Module ActiveDirectory

# Check if a user is in a specific Active Directory group
$ADGroup = "Test Group"

# Get the members of the group
$Members = Get-ADGroupMember -Identity $ADGroup

# Check if the user is in the group
if ($Members.SamAccountName -contains $User) {
    $true
}
Else {
    $false
}

But after I login with my user account that is part of that group is not added to the role.

Product: PowerShell Universal
Version: 1.4.6

Policy authentication, to my knowledge, does not appear in the Identities menu if that is where you are looking for the role to appear. If you create a test resource (app, script, endpoint, etc) and assign that new role to it, then test that sign-in process, can you confirm the user is unable to see the resource?

@parzog
Ok, I tested that and it still won’t allow me to use the app. I created an app with the same code to do a UDToast and it confirmed that my account is in the AD group so it worked as expected code wise but not within the role.

Update: I added create file calls in my script to see if it will generate files to see if it is actually running and it didn’t generate any file so I am not sure what I am missing for the script to be called.

Can you share the code of the test app? If they can get to the point where the Show-UDToast is working it seems like the role is working, provided that role is assigned via the above policy and to the app in question.

@parzog
Test Script:

New-UDApp -Title 'Test App' -Content {
    Import-Module ActiveDirectory

    # Check if a user is in a specific Active Directory group
    $ADGroup = "Test Group"

    # Get the members of the group
    $Members = Get-ADGroupMember -Identity $ADGroup

    # Check if the user is in the group
    $Split = $User.Split('@')[0]
    if ($Members.SamAccountName -contains $Split) {
        Show-UDToast -Message "$User in AD Group" -Persistent
    }
    Else {
        Show-UDToast -Message "$User Not in AD Group $($Members.SamAccountName)" -Persistent
    }
}

It looks like it is working… So, confirm for me the following:

1. The test user has no roles manually configured on the Identities page
2. The test user is able to sign in
3. The test user is able to navigate to this app and launch it

If all of these things are true, then it looks like the policy authentication with custom roles is working properly. There is another forum post that can be found here referencing how to set an authorization flow for custom roles, if that is more conducive to your needs.

Sorry, I don’t feel as though I can be (or have been, rather) much help here - there are a lot of factors that I’m having to assume while writing these and it’s a question now of how to get down to where the issue actually lies.

Does that same create file call work from an account authorized as Administrator?

@parzog
Ok, so I have my test account and my admin account they are both in the AD group. Admin account can get to the app so I can confirm that toast message works as expected. My test account always get “Unauthorized Access” and I don’t see the files getting created.

OH - Okay, that makes so much more sense. Is the test account able to get to the /portal URL and see the widget for the app on that screen?

@parzog
Ok,so I was digging around and I found this log.
[9/30/2024 3:17:32 PM] [Error] [Security-roles.ps1] Could not find a part of the path ‘C:\Temp\authresults2.txt’.
[9/30/2024 3:17:32 PM] [Error] [Security-roles.ps1] Method invocation failed because [Security.ClaimsPrincipal] does not contain a method named ‘Split’.
[9/30/2024 3:17:31 PM] [Error] [Security-roles.ps1] Could not find a part of the path ‘C:\Temp\authresults.txt’.
[9/30/2024 3:17:31 PM] [Error] [Security-roles.ps1] Could not find a part of the path ‘C:\Temp\authresults2.txt’.
[9/30/2024 3:17:31 PM] [Error] [Security-roles.ps1] Method invocation failed because [Security.ClaimsPrincipal] does not contain a method named ‘Split’.
[9/30/2024 3:17:29 PM] [Error] [Security-roles.ps1] Could not find a part of the path ‘C:\Temp\authresults.txt’.

Which I think my problem is the split method

Cause my $User = Username@Domain.com and I am trying to remove the domain.com part.

Ah - nice catch. I didn’t even think about that. I would try this on app load so you can see the user properties:

Write-Output "$($User | gm)"

That way you can find the available properties of the Security.ClaimsPrincipal type in the browser console. My guess would be that the text representation of the username is something like $User.Username but I could be wrong.

Bit of a redirect there, my apologies. Found the documentation for what I was talking about in the documentation here. However, if you’re searching through AD, using their UPN as it shows up in the top right corner of the screen should in most environments pull the correct user. If you still need to split like that, you can try the following to access the user’s name:

$UserName = $User.Identity.Name
Then, call .split() on the $UserName instead.

Actually your first option did work as well. I just had to log out and log back in for it to process correctly.
$Split = $User.Username.Split(‘@’)[0]
if ($Members.SamAccountName -contains $Split) {
$true
New-Item -ItemType File -Name “authresults1.txt” -Path “C:\Temp”
}
Else {
$false
New-Item -ItemType File -Name “authresults2.txt” -Path “C:\Temp”
}

But yes Thank you very much for your time looking at this!!!