I would like to understand if I can use Azure AD authentication for our enterprise application. Basically we have a service that manages component data for several thousand product teams in my company. The requirement is team A can only view their data. According to https://www.youtube.com/watch?v=59YwW8FrLm8, we can create custom roles in an Azure app and assign them to different client apps. My concern is that is there a limit on how many roles we can create in the app? We have several thousand product teams to support. Also, is there any performance impact on large number of custom roles in an app?
The bigger question is if we should utilize Azure OIDC to do this authorization. Is this something that we are better off writing our own authorization logic?
Confirmed that by default, it is 5000.
Related
We'd like to use the Logic App UI/engine in the Azure Portal and give it to customers who have some development experience, so they are able to hook into our application to customise some calculations.
Is it possible to
a) Brand Azure Logic App/Portal resources with a company label etc or
b) Provide some other mechanism of creating Logic Apps (desktop, web UI) that uses Azure Logic Apps underneath
I think the idea is that you set up some custom connectors into your application so that your customers can set up their own logic apps in their own subscriptions.
Here's some docs
If you had your customers using your logic apps, rebranded in some way, they would have access to each others cached credentials through saved connections which would be undesirable in many cases.
As explained here, you have to register your FHIR API with Azure AD in order to make calls to the API.
Azure AD is free for Single Sign-On for up to 10 apps: https://azure.microsoft.com/en-us/pricing/details/active-directory/
Q: Given a scenario where I have more than 10 FHIR APIs accessed through a single Web platform by multiple users, do I need to assign an account for each actor and pay $6 user/month(Premium P1)?
Or could I have a single account that is used to make calls to the APIs and authenticate the actors through another method? If you have hundreds of users it is pretty expensive to pay 6$ for each just for authentication.
Do I understand Azure AD correctly? Is there any other better method?
Answer: No. It's very likely you can get away with less than 10 app registrations without losing the ability to authorize each individual user. The only limit you should be worried about is the 500,000 object limit.
Explanation:
The concept of App Registration is well explained here, and I won't make an attempt to do a better job.
The key thing in the context of this question is that you can use the same App Registration with as many "applications" as you want. The only consequence is that you won't be able to assign different permissions to each of those applications.
From your question is not very clear what "10 APIs" mean.
In the simplest case, you have 10 different endpoints hosted under the same application, in which case the solution is trivial: use a single app registration with as many "app roles" as necessary to control access as granularly as you need/supported by FHIR.
Worst case, you have 10 applications hosted independently, in which case you can still use the app manifest to create as many app roles as necessary, most likely using some prefixing: app1_admin, app1_readonly, app2_readonly, etc. Then use those app roles to grant permissions to your endpoints.
See this documentation about how to create app roles in your app manifest.
A picture is worth more than a thousand words. This one should illustrate how you can use the same App Registration for as many applications as you wish.
I have four Azure AppServices which are complete independent applications. I want to provide a kind of a portal that aggregates those four. When a user logs in he sees all applications he has access to depending on his scope. From the portal he can navigate to the other applications and do the user management stuff like adding new users and grant access to a specific application.
Is the picture above a good pattern to do it?
If I would start from scratch, what would be a better idea?
App services don't have access to different app's directories, so I do not think this is possible.
Your best bet might be to make a feature request to the product team on User Voice. https://feedback.azure.com/forums/169401-azure-active-directory
will setting "Application is Multitenat" make my application work with other tenants which are not registered in my azure subscription. which are not part of my active directory. will setting this option work with any #######.onmicrosoft.com. the image you see is from azure active directory web app page. i have register my web application to consume the office 365 api as describe in page https://github.com/OfficeDev/O365-WebApp-MultiTenant
In context of Azure AD:
A single tenant application is only available to users of Azure Active Directory (Azure AD) where this is created.
A multi tenant application is not only available to users of Azure AD where it is created but it also available in other Azure ADs. Users in other Azure ADs have to explicitly grant consent to the application in their Azure AD. When an application is added to another Azure AD, that application essentially becomes a user in that Azure AD as a Service Principal.
A single tenant application means application is hosted specific for a single client. Reasons may be specific business needs OR regulatory compliance OR they can be n numbers of real scenarios you can imagine.
In multi tenant application is available to group of clients. Reasons here can be common business needs, no regulatory compulsion, less cost in supporting maintenance & usage as same application is used for multiple clients.
Practical Example is below (Directly taken as it is from MSDN):
One of the first architectural decisions that the team at Tailspin had to make about how the Surveys application could best support multiple subscribers was whether it should be a single-tenant or multi-tenant application. Figure 1 shows the difference between these approaches at a high-level. The single-tenant model has a separate physical instance of the application for each subscriber, while the multi-tenant model has a single physical instance of the application shared by many subscribers.
It’s important to note that the multi-tenant model still offers separate views of the application’s data to its users. In the Surveys application, Client B must not be able to see or modify Client A’s surveys or data. Tailspin, as the owner of the application, will have full access to all the data stored in the application.
For more details : refer Hosting a Multi-Tenant Application on Windows Azure
We plan to use Windows Azure Mobile Services for several of our commercial apps and would like to create a single data store for users instead of creating it for every mobile service. We don't want to use Microsoft or Facebook... providers due to this issue Multiple apps using a single Azure Mobile Service for Live Authentication?
This way, the user data for all our apps is stored in single separate Custom_Auth database and the users won't need to Register again for our other apps. Should we create a separate mobile service that basically enables custom authentication and acts as a provider for other apps?
Do you see any pitfalls with this approach and what steps would I need to take for creating this custom provider as a separate mobile service?
Basically, we want to create our own provider so that user of one our apps can login to the other apps using the same credentials.
I have read through the following links. Posting them here as they may be useful for others starting out with Authentication and Azure Mobile Services.
http://www.thejoyofcode.com/Generating_your_own_ZUMO_auth_token_Day_8_.aspx
http://www.thejoyofcode.com/Fetching_a_basic_user_profile_in_Mobile_Services_Day_9_.aspx
http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
http://chrisrisner.com/Authentication-with-Windows-Azure-Mobile-Services
Thanks in advance
Hope this helps you
http://chrisrisner.com/Authentication-with-iOS-and-Windows-Azure-Mobile-Services
Someone created a custom authentication API using AZURE
with Parse.com, you are limited to their backend and unfortunately it doesn't have all the nice features as Azure
MS really messed us around with this