I need to develop a Microsoft Teams bot that supports Microsoft login (Azure AAD+ Other accounts). This application must support multiple tenants. How can I identify which tenant the user has login into? My web application has a login page with the custom logic, but how can it be done via a bot?
Related
I have a Xamarin based Azure Mobile App. Today, it has OAuth 2.0 authentication with providers such as Google, LinkedIn, Apple and Microsoft. In the backend it uses Azure AD B2C to provide authentication services through the above providers. My question is as follows:
How do I allow users who are part of a customer Active Directory organization to:
(a) Use their organization's AD credentials to authenticate against my app Virtos?
(b) Do SSO with my Xamarin Forms App (in UWP, Android and iOS) so that they don't have to login explicitly into my app
Here is my use case: User John Doe from Contoso organization has an active directory credential such as jdoe#contoso.com. When he downloads and registers with my app (Virtos), he simply enters his id: jdoe#contoso.com. When enters his password, it authenticates against his organization's AD as an authenticated user and provides a token to my app. From then on, he should be able to log into Virtos using his contoso id and password. Essentially I am looking to replicate this pattern with users from multiple organizations.
Pardon the generic nature of my query but I have done the necessary research on this topic to the best of my ability. I am looking for samples, tutorials and how-to on how to federate my app with an organization's AD. I have found examples of generic federation between organizations but I am specifically looking for examples of federation between a Xamarin Forms front-end based Azure Mobile Service and a Corporate AD.
Any and all help will be appreciated.
We are developing a SaaS to analyze customer's data within office365 via Graph API and application permissions.
I'm trying to understand the best(and most automated) flow for onboarding the customers. Ideally, the Azure Global Administrator login in our webapp using Microsoft Identity and gives consent to create an account (app registration or enterprise application) with the relevant application permissions. With these permissions our SaaS has access to analyse data.
As of right now, I'm only able to solve this through manual procedure in making the App Registration together with customer on their Azure Tenant which gives me the Client ID, Tenant ID and Secret for our SaaS to authenticate with. I'm assuming something more fancy is possible :)
Also, I was hoping for a method which involved a multi-tenant registration, if that somehow enables reuse of a single app registration or Enterprise application (e.g. in our own Azure tenant) across multiple tenants (customers).
According to your description: you want to use a single application registration or enterprise application between multiple tenants, then you only need to change the application to a multi-tenant application, because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.
We are looking for Authentication methods for a Multi-Tenant SaaS application. We have been exploring Azure B2C but have not been able to provide suitable user to organization (Tenant) management.
We are exploring options like;
Microsoft's Azure AD B2C or an alternate service
B2C's Multi Tenant support to provide user/data segregation by Tenant (or Organization)
Environment;
We are using .Net Core 2 for the application and api's
We will have native phone applications that use the api's
Must use a common login service for all applications (Phones and Web)
What we need to do;
Authenticate Users
The first user for an Organization(Tenant) would;
create the organization
sent invitations to their organization's users
Subsequent users would take the invitation link
create an account joined to the organization using
Email/Username and Password
or connect a Social account to the invitation
or other services supplied by Azure AD B2C like another Azure AD
From the login service return a JWT Token
Needs to include the Organization to secure organization data
the JWT needs to be passed to child API's
Child API's will need to validate the token without external calls
Any ideas, sample applications or alternate products ideas are appreciated.
We did find http://identityserver.io/
A quick summary from their website;
The Open Source OpenID Connect and OAuth 2.0 framework for .NET.
IdentityServer is OpenID Certified and part of the .NET Foundation.
We are currently exploring this, and wanted to add this as a possible solution to the question.
I am creating a web api application that will be secured using Oauth for authentication. Can I set up the authentication to be a blend of individual accounts and organizational accounts?
Scenario: One set of users belongs to an organization that uses Office 365. Another set of users may not. The ultimate goal is to allow all the users to login, but in the case of the organizational users, I will also want to allow them to integrate with the Office365 apis that are tied to their organization.
Is there a solution design that would allow me to choose where to authenticate the user - either using the application's Azure AD or the subscribing organization's AD?
For just authenticating MSAs and AAD orgs, you can use the new Microsoft Graph (http://graph.microsoft.io) - it is the unified endpoint for all Microsoft identities and for requesting access to things like mail, calendar, etc. It uses the v2 AAD endpoint (mentioned below) and app registrations are universal, so you can sign in with org or personal accounts.
You can extend that with Azure B2C as the owning directory.
Add Microsoft Account as an identity provider, and
use the v2 endpoint
at which point users could sign in with a consumer account (Facebook, Microsoft, google, whatever). By extension, since, for MSAs it uses the new v2 endpoint you can prompt users to sign in with an MSA or an org cccount - users get a prompt like this below. Note 'work or school, or personal microsoft account.'
v2 has some limitations, however: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare so make sure you can do everything you want before diving in. Some of the reply URL and on-behalf-of flows (like you'd see in APIs) have some domain/audience restrictions.
I have the following services
Service1.SomeDomain.com
Service2.SomeDomain.com
Service3.SomeDomain.com
I have a Web application that has a client side script that will talk directly to each of the above services to retrieve information
Web.SomeDomain.com
I also have Native Mobile client applications which also will talk directly to each of the above services
Android
IOS
Windows/Windows Phone
Now this application will be a SaaS solution where customers can sign-up online create their own tenant and then create user accounts for there employees and add the employees to groups and change permissions of those groups.
Now i need a solution that a user can log on to a mobile application or Web and it be allowed to gain access to the above mentioned services depending on there groups permissions, but i want strong separation of each tenant
Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms.
The following should see you through:
Authentication scenarios supported by AAD (http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx): will answer questions like - how can my mobile app access my multi-tenant web api on behalf of the user, or how can my web app sign-in the user as well as receive a delegated token to access my web api
AAD integrated multi-tenant SAAS application sample (https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet): covers special techniques for multi-tenant apps
Authorization using group membership (https://azure.microsoft.com/en-us/documentation/articles/web-sites-authentication-authorization/): describes how you can perform authorization in your application per the group membership of users.
Enjoy.
Hope this helps.