Hi guys,

So, I'm unsure where to ask so I guess I thought I would try here.

I'm a bit new to this whole Identity thing, and I'm looking to migrate a few apps that I have on our local domain here, to the azure cloud. I'm pretty much going to be re-writing them anyway, so I was looking at this whole ASP.NET Core 2, azure AD authentication and Identity.

Previously, I authenticated through an LDAP query, checking user names and passwords against our domain for authentication, and then provide custom roles (user, power user, admin, etc) for the user in the application's database.

Now, I have gotten AD Authentication to work in Azure, It finds my user and authenticates and the application recognizes me. However...where I'm getting confused is, where do I add these custom claims, or custom roles? I understand that they need to be in the claims "token". So, if that token is coming from Azure AD, do I need to define the roles someplace there?

Or is it a similar thing to what was being done in the past, authenticating through azure AD and then using the application database to add the roles to the token (is this claims transformation?).

Anyway, I feel that this should be a super common occurrence, but I can only find an examples that either just do Azure AD auth, or do Identity with local database and no domain authentication. Looking for some guidance.

​

Thanks for reading!

​