Back to Windows Azure Active Directory Solutions For Developers 


In this scenario application requires to implement complex authorization rules logic, something that cannot be satisfied using only roles. The application enforces access by calculating the outcome - grant or deny access - based on the information available in the request including the claims in the incoming token.

  • The application uses claims-based authentication
  • Role Based Access Control (RBAC) cannot satisfy authorization requirements
  • Authorization outcome - grant or deny access - is calculated based on complex rules and the data available in the token.

Solution Approach

The solution relies on ClaimsAuthorizationManager - WIF' extensibility point. You develop custom ClaimsAuthorizationManager and register it in web.config. You can optionally express the rules as a policy in the web.config so that the custom ClaimsAuthorizationManager can read them at run time and enforce them for the incoming requests. For detailed step-by-step walkthrough read How To: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using WIF and ACS.

  • Application uses WIF
  • Application uses ClaimsAuthorizationManager as an extensibility point
  • Implement custom ClaimsAuthorizationManager and define authorization policy in the configuration file
  • Call CheckAccss in the code to enforce the authorization policy.


Implement claims-cased authorization when role base access control (RBAC) is insufficient to satisfy authorization requirements. Read more about RBAC in Role-Based Access Control (RBAC) Authorization In Claims-Aware Applications 


Code Samples