We are managing more 400 APIs in Azure API Management. We are also having an approval flow for approving the API subscription request, where a permission would be assigned to the API client app registration for authentication.
Problem
Since we have lots of APIs we are having as many API client app registrations and app registrations for each users subscribing the application. Also these API app registrations are available in three environments (DEV, QA and PROD). It became very difficult to manage the App Registrations. Also all these API client app registration have distinguished roles.
We would like to reduce the number of app registrations and thinking to do a product level app registrations. Also instead of app registrations for each users, we want to have single app registration for each product subscription from a team .
Here we are not sure about how to manage roles for each APIs as each API has different Roles. And an API based app registration will have all roles, how do we assign these roles to each Users.
eg: We have a product ProductA , it has 10 APIs under it. We create one APP registration ApiAppA for this product and this app registration can be used for AAD authentication. It has two App Roles Api1.Read and Api2.Write for two APIs say Api1 and Api2. Now as a subscriber, we will have another app registration say ClientAppB. We are planning use the client credential flow from ClientAppB to connect to the ProductA via ApiAppA app registration. So when a User say John want to subscribe to an API under ProductA. He only wants Api1.Read for ApiAppA. Also another user Tom wants to subscribe to another API under Product A, where he need access to Api2.Write role. How do we assign it? We are using client credential flow.
Related
In a hypothetical scenario where I am using Microsoft Identity Platform for authentication, how would I also leverage it to control user permissions. Specifically, user permissions within the custom app. These permissions would not be related to other Azure resources or apps. For example, a web app that allows various different operators of a production plant to enable and disable different systems in the plant such as water coolers, air compressors, and conveyor belts. If I have a web app that allows a user to control these devices on a plant floor, how can I use MSAL to control the permissions to these different areas in the app? I only want user A to control coolers and compressors, and I only want user B to control the belts. I already know how to authenticate the users to the application using MSAL. I would prefer to control the permissions using something similar to AzureAD groups unless there is something better suited to this use case.
Scenario 1:
You have a Web App containing all the business logic. For this scenario you create one app registration for your Web App in Azure AD and define app roles for the various operators. You can name these app roles anything you want, for example: Coolers.Control and Belts.Control.
Example App Registration for Web App with App Roles (Image)
These roles can be assigned to individual users or groups in Azure AD at the Enterprise Application page. If you click on the "How do I assign App roles" on the app roles page, you will find the link that will redirect you to the Enterprise Application page.
If the user navigates to your Web App and signs in using the authorization code flow, the OAuth 2.0 authorization endpoint will return an Identity Token including a roles claim. You can use these roles in your web application to determine what areas the user is allowed to access.
More information: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-overview?tabs=aspnetcore
Scenario 2:
But there is another option that you might want to consider. You could also create a Web App for UI logic only and place the business logic in a separate Web API. With this architecture you are able to allow multiple (future) client applications to use the functionality of the API, for example: native mobile apps or background apps.
For your scenario you would create two app registrations: one for your Web App and one for your Web API. You define the app roles in the app registration for the Web API and define a scope, for example: access_as_user, to allow delegated access. This scope needs to be assigned to the app registration for your Web App.
Example App Registration for Web API with Scope (Image)
In the Web App you use the access_as_user scope (including app id prefix) in the call to the authorization endpoint. If the user signs in and grants this scope to the Web App so it can call the Web API on behalf of the signed-in user, the authorization endpoint returns an Access Token. If the app roles are defined in the app registration of the Web API and assigned to the user, the Access Token will contain a roles claim. This token is meant for the Web API to authorize the user. When the Web App calls the Web API, it also sends this Access Token in the Authorization Header of the HTTP request. The Web API determines what the user is allowed to do based on the roles in the Access Token.
More information: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview
Additional information:
Because I had a similar question, I wrote an article about understanding scopes and app roles in Azure AD. The article explains how to use both scopes and app roles in a delegated access scenario, and how to use app roles in an app-only access scenario. I think this answers your question about how to control the permissions using something similar to Azure AD groups.
URL: https://cloudfirstapproach.com/understanding-oauth-scopes-and-roles-in-azure-ad/
How to make use of the Azure Bot Service in one Domain and communicate with the MSTeams chat in different tenant or domain.
I have created a Company Communicator App using the Deployment Guide in a different tenant and this App should send one way notifications to MSTeams Chat in another tenant.
How does the users in a different tenant can be accessed from a different tenant/Azure Subscription?
We are developing a SaaS to analyze customer's data within office365 via Graph API and application permissions.
I'm trying to understand the best(and most automated) flow for onboarding the customers. Ideally, the Azure Global Administrator login in our webapp using Microsoft Identity and gives consent to create an account (app registration or enterprise application) with the relevant application permissions. With these permissions our SaaS has access to analyse data.
As of right now, I'm only able to solve this through manual procedure in making the App Registration together with customer on their Azure Tenant which gives me the Client ID, Tenant ID and Secret for our SaaS to authenticate with. I'm assuming something more fancy is possible :)
Also, I was hoping for a method which involved a multi-tenant registration, if that somehow enables reuse of a single app registration or Enterprise application (e.g. in our own Azure tenant) across multiple tenants (customers).
According to your description: you want to use a single application registration or enterprise application between multiple tenants, then you only need to change the application to a multi-tenant application, because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.
We currently have a simple AspNet Core website that is logged into by a "Manager". It gives them access to data about company branches they manage and the customers that use those branches.
The managers have an account in our Azure AD organisation. Currently we some appRoles defined in the website's App Registration. We have an appRole for each branch called "BRANCHNAME_Managers" this feels more like a Group. From memory I think we had problems accessing the groups a user was in from within the website so used the appRoles as they appear in the ClaimsPrincipal.Claims.
We want to create an api that is called from that website. That api needs to know what branches a manager manages. That api would have a seperate app registration in Azure AD and it seems that appRoles configured in the Web Site App registration would not be passed through to the web api. Therefore I think we need to move away from appRoles defined in the WebSite App Registration. Is this correct?
Bearing in mind what we are are trying to control access to, the branches a manager manages and the customers that are related to those branches should we be using User Groups membership or something we roll ourselves with simple database relationships?
The App roles defined in the website app registration (client app) cannot be recognized by the API. The app roles only exist in the id token in this case. But we need to verify the access token to access the API.
As I answered in your previous post, you can define the same app roles in the API app registration (service app) and assign those roles to the same managers.
Then you can verify the app roles included in the access token for your API.
I have an Azure Function App (API) linked to an App Registration in Azure Active Directory (AAD), that exposes some custom Roles via the Manifest.
A client App Registration in AAD can add the API and select from its custom Roles as permissions. This allows the client app to call AAD to obtain
a JWT that includes these custom Roles, which can then be checked by the downstream Function App during JWT validation.
I would like the client App Registration to also include other API's custom Roles as part of a company's 'Product Group' (eg. Product Group may be Sales, Service, Finance etc.).
I want to create AAD Users representing each B2B consumer system, and link them to a Group that aligns to a company 'Product Group'.
Therefore, a User (B2B consumer system) should be able to request a JWT that includes custom Roles for all API's in the Product Group.
I need the JWT to include information of the consumer system, as it needs to be available to the downstream Function App.
What's the best way to achieve this?
The best we could come up with is to create App Registrations with custom Roles in the manifest to represent each Product Group. These App Registrations are completely independent of any specific Function App (API) implementation.
Then we have a client App Registration for each B2B consumer system, that imports the required custom Roles from its parent Product Group App Registration.
The downstream Function Apps (API's) then perform processing based on the Roles extracted from the JWT.