Azure AD App Registration with multi-customer access - azure

Hello friends and thank you for taking the time to read my question and for all potential answers.
I am building a customer application which allows several proprietors (business owners) to log-in and manage their business. I don't want to focus on the details of the app as it is not relevant (I think) because this is more of a qualitative question.
I am using Azure AD (App Registrations) for both the Blazor WASM and API. I am comfortable creating and utilizing those. What I am trying to understand is how to not allow customers to see each other's data by using purely just Azure AD.
Example:
Customer User A from business X logs into the app. They are redirected to myapp.com/Business-X
The Roles I have right now in Azure AD are User.Read, User.ReadWrite and User.Admin
Customer User B from business Y logs into the app and is redirected to myapp.com/Business-Y
Nothing is preventing User A from changing their URL to myapp.com/Business-Y and have the same role in another business' app. I understand that I can change my Roles in Azure AD to be User.Read.X, User.ReadWrite.X, User.Admin.X, User.Read.Y, User.ReadWrite.Y, User.Admin.Y etc. but imagine if I have hundreds of customer's let's say, that is unmanageable and my blazor code will just be a mess.
Is there a better/smarter way to do this? For example I can keep the current simplified roles and add users to a database where I map them to the business they have access to but is that secure? I suspect using a database to store this does not sound right because it feels that Azure AD can do this and I just don't know how.
Thank you again!

• Yes, you can surely do restrict the users access to a particular application registered in Azure AD by ensuring these applications are also registered as ‘Enterprise Applications’ in Azure AD. Once, these applications are shown up in ‘Enterprise Applications’ in Azure AD, then you can configure them to require assignment for a particular set of users only by ensuring that the required users only have access to that application. To enable user assignment and assign users for that application in Azure AD, you should have ‘Global Administrator, Application Administrator or Cloud Administrator’ directory roles assigned to your ID.
Please find the snapshots below for more information in this regard: -
Also, once you have configured the above, you should ensure to create a custom role at the directory-level and assign it the required permissions as then this role would be assigned to all the users and these users then individually can be assigned to the required application, thus ensuring that only specific users are allowed to access the assigned app.
Please note that tenant wide admin consent is granted to apps that would require assignment. Kindly refer to the below link for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment

Related

How to prevent outside tenants from giving themselves an app's roles in Azure AD?

I am working on an application, and its registration in Azure AD must allow Accounts in any organizational directory to sign-in. We built this with the thought that we could manage the roles for the app within Azure, so we made a few roles. The roles would also be only assignable and used by employees within our organization.
The whole time we thought that these roles can only be assigned within the Azure AD of the organization that owns the app's registration. We now found that when a user from another tenant signs into our app, they can find the app in their Azure's Enterprise Applications and just assign themselves roles. This means that they'd be able to view data that was never meant to be accessible to them. We don't want any other organization to have access to assigning these roles.
So is there any way to disable other tenants' ability to assign themselves a role in their Azure's Enterprise Application? I just want them to be able to log into the app, not give themselves any roles.
Is this even the appropriate way to achieve what we want? If not, what would be the proper way to do this?
At least I am not aware of any mechanism that will prevent admins from other tenants to assign roles to user (it works by design).
If you want to use the application roles only within your tenant, I would suggest that you use the tenantid that is also part of the claims when you doing authorization within your application...

Restrict Azure Active Directory app access to specific tenants

I'm hoping to use the Microsoft Identity Platform - Azure Active Directory - to manage authentication for my app.
I using the v2.0 endpoint.
I've registered my application in the new Application Registration Portal (apps.dev.microsoft.com), and it is now showing up in the main Azure portal under Azure Active Directory > App registrations
I need to restrict access to my application to certain organisations - I'm working on the assumption this means I need to allow access to a specific set of AD tenants.
In the application manifest, there's a signInAudience property, the options for which are AzureADMyOrg, AzureADMultipleOrgs and AzureADandPersonalMicrosoftAccount
AzureADMultipleOrgs sounds the closest to what I'm looking for, but so far it means anyone with an AD account can access my app.
I've come across documentation for an orgRestrictions property (https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/beta/resources/application.md) which sounds useful but it just says Reserved for future use
I assume this is a common use case e.g. only allow access to organisations that subscribe to your product, but I don't see a straightforward way to do it.
I assume this is a common use case e.g. only allow access to organisations that subscribe to your product, but I don't see a straightforward way to do it.
Yes it is, and most multi-tenant samples showcase this.
Currently there is no way to say that a given app should allow login from X and Y, so it'll have to allow all Azure AD tenants.
(though that is a feature that has been heavily requested)
Then after authentication, your app can check the tid claim.
You could for example check from a database if this tenant has a valid subscription.
If they don't, redirect them to an error page and don't log them in.

Azure AD: Why is everyone able to login to my app?

While learning about Azure AD so I can eventually switch our applications to start using that, I noticed that any account that we have, seems to be able to login to the application... I just have a web application on my local PC, and I added it to our Azure AD applications. We have Azure AD syncing with our AD environment. The application doesn't show up on myapps.microsoft.com, which is what I want to happen. The issue is that when I try to login to the application by going to the URL, with a test account, that account is just able to login... After one login, it shows up on that account's myapps page. Why is it just allowing any account to log in? I only have partial access on our Azure portal, and can't even manually give access to applications. Is there some setting that I need to set to only allow access when it is specifically granted to the account? I've been looking around for a while and watching a few videos, but I haven't seen this covered anywhere.
In Azure AD , if you want to restrict access to particular users in the directory , you could try below ways :
Use group claims in Azure AD . In your application , check the group claims in the authenticated user’s claims collection , restrict access base on your requirement .
Set User assignment required? setting( find the setting in Enterprise applications-->Your application -->Properties) to Yes, then users must first be assigned to your application before being able to access it . You could assign default access role to uses who can access your application . Click here for how to assign role to user .

Azure Active Directory - Assign to group

Is it possible to assign an application (as an Application or Service Principal) to a group programatically, via the graph client or API? (Including the app user credentials needed to allow access of the members of the group to the app)
I searched everywhere and couldn't find documentation for it.
Thanks
No, 'Applications' in Azure AD are used to segment authorization and settings within Azure AD. It creates a trust between Azure AD and your application. The Application is not a User.
Users are Azure AD entities that have identity and can be authorized to access resources (like an Application). Users can be added to groups. See the below link for the Azure AD graph API documentation:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/groups-operations#AddGroupMembers
And the documentation on what a user entity looks like:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#UserEntity
Thanks for the answer emseetea, but we do have a little more than that.
Back to the original question - can you programmatically "assign a group to an application". The answer is yes, using appRoleAssignments on the service principal. The service principal represents an application instance, that typically gets provisioned as part of a consent grant. On this tenant specific app instance (service principal) you can attach tenant specific permissions and policy. Permissions get created as part of consent, but you can also programmatically assign an application role (defined by the application) to a user or group. If no application role is assigned, then you can make a "default" assignment. You can find a little more on this topic here http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx which describes a little about this with some sample REST API calls.
This same operation is also possible through the client library. You can take a look at https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. Look at the section titled "#region Assign Direct Permission". This shows how to assign an app role to a user. You can do the same thing on a group too. If your app doesn't specify any app roles, set the appRoleAssignment.Id to a zero GUID.
Hope this helps,

Role Claims when Federating Azure AD

We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.
The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.
Thanks.
Edit:
A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.
We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.
AAD does support roles / groups and you can administer them from the Azure Portal.
Howeve, these are not passed in the "canned" set of claims.
You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.
Update:
ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.
I assume your cloud app. runs in Azure?
Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.
Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.
So two options:
Customer does not have Azure tenant. They install ADFS and federate with AAD.
Customer's who do have Azure tenant use DirSync.
Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.
Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Hope that helps.
Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.
What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.

Resources