File System Drivers and Entra ID

Hi there!

We received a request for integrating the file system driver we implement with Azure Active Directory, now called Entra ID. As far as I could understand, the token created during the logon session on Windows using Entra ID carries an extra SID, which can be used to identify the Entra account. However, this token does not include the AADS groups the user belongs to, which we use for resource authorization.

As far as I could read from Microsoft documentation, they offer this REST API for applications to authenticate Entra ID users, but it does not seem to me that this will create or change the user token, so that it would get the user’s AADS groups.

Does anyone have any similar experience with this? Any tip, clue, or documentation I could read to learn more about?

Thanks in advance,

DriverEntry Kernel Development

I guess my first question is "have you poked at the REST end point".

My betting is that, as with most things to do with AuthN/AuthZ Microsoft will have an "almost right but broken in some important details" implementation of a "standard": OIDC I'd guess.

In that case I'd stand up an OIDC client and see what comes back. You have better support for parsing JSON in user mode obviously.

Indeed you might find that .NET has done all the work for and you can stand up a build .NET service which your FS speaks to and which in turn speak to .NET