I want to authenticate users to my nodejs app via Login with Microsoft but I don't want access to any of their AD data other than read access to email and first name.
I know I have authenticated to apps via my work MS account and that app has not been "registered" in my company's Azure env. I have even used apps that do request access to my Calendar (Graph API) and I can grant it without that app being registered.
How does this work? Is it possible to just use MS as my identity provider for authentication without my app being registered?
In order to authenticate a user, a client ID is required.
This must come from a registered application.
There could be a situation in which another application is just using a client ID of another application (in case redirect URIs are able to match).
In the general case I would say that you must register an application.
Related
I have React app on the frontend, I have registered it at Azure AD as REACT_AZURE and I use #azure/msal-react npm package to authenticate the user.
In order to protect my Express routes, I have registered another app at Azure AD as API_AZURE, and in "Expose an API" section I have added scope 'access_as_user'.
In REACT_AZURE app in "API permissions" section I have added permission for 'access_as_user'.
Now I can acquire access token for 'access_as_user' scope and make an API call to my express server.
In my protected route, I am using passport-azure-ad BearerStrategy to validate the access token, if it is valid I am authorized to get resources.
Is this the right flow? Do I have to register two apps with Azure AD? if not, how do I do it right?
Is this the right flow? Do I have to register two apps with Azure AD?
if not, how do I do it right?
Of course, your process is absolutely correct. You need to register two applications in Azure, one representing the client application and the other representing the api application. Then expose the api of the api application and add the client application to the api application. Then let the user log in to the client application to complete the authenticate and obtain the token, and use the token to call the api. I have answered similar questions before, you can refer to it.
But I’m not sure if you want to control which users can access the api based on the user role. If you only want certain users in the tenant to access the api, then you can add a step that is to create an app role and grants users who you wish to have access to the api. Then users in the tenant who are not granted the app role will not have permission to access the api. see more detailed answer.
We are configuring a new client app in Azure Active Directory to be used to access a specific web api with Client Credential flow by using the App Registration feature. I would ensure that Azure Active Directory will issue the Authz Token only for a specific registered web api (resource), returning an error in case the target client application request a token for a different resource.
So far we have been able to block access to clients for a specific web api, but what we want is to configure AAD so that a specific client id is able to call only a specific web api (let's say, we want to "change the point of view").
Is there a way to configure a client app on azure AD so that it is able to obtain a token only for a specific resource, regardless how we configure other web api on Azure Active Directory?
Your client app may obtain token for different resources but not for non allowed roles (Configured permissions) which are the basis for authorization, not just the token.
please, is here any way how to make relationship between applicaiton in Azure AD and User with client secret.
My use case. User ask for token with client secret(as deamon) and call my web api and a verify this token. Token is valid but there is no information about user who call it or who registered app. User gets token via API (https://learn.microsoft.com/en-gb/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token)
When user ask for token interactive everything is ok.
I tried to use a information about who created app, but Azure AD does not set it when user is administrator.
Is there any way how to use deamon which will be connected with some user?
Is there anywhere i can save this relationship in azure AD?
My idea, every user who wanted use my web api as deamon create his application and connect to mine web api, which use his app for verification. Relationship between app creator and user can be enough. but when i delete user and he has still client secret, he can access. I dont want to use his username and password because it will be saved on different computers and it is not save enough.
If you have more questions, dont hesitate to ask!
Thank you for any idea.
For scenarios, such as this one, your application should have an App Role with the allowedMemeberTypes having Application and as mentioned in the docs, this will show up as an application permission to other apps.
So the consumers of your API will have to add this application permission to their daemon app (which requires admin consent). This will trigger a flow internally that creates a Service Principal (like a user persona of the application) and adds that as a user to your application (you should be able to see it listed under Enterprise Applications > (Your API) > Users and Groups).
When you want to deny this daemon access to your API, you will just have to revoke the admin consent provided at first.
I believe you could even automate this process by using the Microsoft Graph APIs.
I'm creating a React App that requires authentication into Azure Ad. This is simple enough through the Adal libraries. When a user now requests my app, they are redirected to the login page first to authenticate.
The next step in my app, is for logged in users to be able to create various Azure resources, e.g. VM's through a simple form page in the app. For this, I'm looking at using the 'azure-sdk-for-node'. My problem, is that users can belong to different subscriptions based on their region globally. There are cases that users are in more then one subscription and have the rights to create resources in whichever subscription they are assigned to.
I'm not sure how to do this with the node SDK, as you only have three methods to authenticate calls:
Basic authentication (requires username/password which is redundant because they are already signed in
Interactive login (same as above)
Service Principal (everone uses the same 'account' to call the REST api's.
Not sure what's the best way then to do this?
https://github.com/Azure/azure-sdk-for-node
My application is an Angular 2+ SPA, which uses Azure Active Directory and the back end API is implemented in Node JS. Currently, when an user tries to login, an Azure pop-up appears, User enter login/password which will get authenticated in AD, AD returns a bearer token which I use to authenticate Node JS API.
My requirement is, to use Integrated Windows Authentication (IWA). The Front End should use Windows authentication to get the bearer token from AD instead of asking user to enter login/password. How Can I do that? Whatever articles I see about this, all talk about IIS and .Net based application. Should I always use .NET based API to use Windows Authentication? Any hints would be greatly appreciated.
Just a note, the API is an enterprise application hosted in the cloud. All the users are internal company employees and are registered with AD.
Given you already have Azure AD sync setup, the following may be useful. AAD Connect allows you to seamlessly login with SSO:
https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Azure services doesn't support Windows Authentication, unless you setup a VM with IIS. I assume by your requirements "...Get the bearer token instead of asking user to enter login/password" mean single signon. That is, when a user is logged into the domain on their PC, they don't have to login again to your application.
There are a few ways to approach this depending on your AD configuration, but usually you have to configure ADFS for your organisation AD to allow your cloud app to authenticate you. If you are already logged in, it will simply redirect you and your app will receive the bearer token.
https://azure.microsoft.com/en-au/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
Another option is to connect your organisation AD with Azure AD, using Azure AD sync. The following link helps with this. You would then configure your app to authenticate against Azure AD (as it currently does).
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
AD configuration is not a simple configuration,