I have a simple Azure App Service that exposes two REST endpoints. Is it possible to set up an authentication scheme so that each endpoint can only be accessed by a specific group of Azure AD users?
Endpoint A (HTTP/GET) <- Accessible by User Group A
Endpoint B (HTTP/POST) <- Accessible by User Group B
If not by configuration, is it possible to do this programmatically?
Thanks in advance.
The short answer: yes, that is possible.
The longer answer: this is not something that can be done with a single configuration setting or one line of code. The exact steps depend on the language you used to write the API.
In general, you need to add AAD authentication to the application. Make sure the token you're getting from AAD includes security groups in its claims. Then, add authorization based on the security groups in those claims.
For ASP.NET, here's are two great articles:
Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform
Add authorization using groups & group claims to an ASP.NET Core Web app that signs-in users with the Microsoft identity platform
Interesting links:
Microsoft Identity Platform
Microsoft Authentication Library (MSAL)
Related
I'm using Microsoft Graph API to access data from a variety of tenants' ADs. This is with a multitenanted Azure app hosted in my Azure tenancy. Authentication is handled using application level tokens and the client credentials flow; customer admins authorize the collection of data for their tenancy using OAuth. A customer is asking whether it's possible for me to restrict access to my Azure app based on location, so that our app dispenses tokens only to clients who are inside our data center.
It seems to me that this is not going to work. Microsoft recently added the possibility of conditional access based on workload identities; but are pretty clear that this only works for single-tenant apps, where the same tenancy hosts both the enterprise application and the app registration:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
Note
Policy can be applied to single tenant service principals that have
been registered in your tenant. Third party SaaS and multi-tenanted
apps are out of scope. Managed identities are not covered by policy.
But, I am not an expert and may be working on incorrect assumptions. Can anyone confirm or disconfirm what I have posted here? Is there some way I can provide what the customer is asking for?
As mentioned in the document that it is applicable only to the single tenants, If you want this feature to be available for the mutlti tenants as well you can raise a feature request for same here: https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform
We have a scenario where in mobile app(Xamarin Forms IOS APP) logs into the Azure ADB2C and generate a JWT token if the user is a valid user(user is configured in Azure AD B2C). We have a requirement where in, we need to generate a token based on the role i.e. based on the role with which user logs in, we want to generate a token and that token we are trying to use it in subsequent Web API calls.
Articles which we found out on this particular scenario was having web application as a client where in some mechanism of secrets were explained. In the mobile app client scenario, its not possible to have a secrets.
Followed the below mentioned article, but couldn't get any concrete information also
https://codemilltech.com/adding-authentication-and-authorization-with-azure-ad-b2c/
Any pointers on this particular scenario would be very much helpful to us.
Thanks!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" by this method you can add the groups to JTW token and also prevent users from sign-in if they aren't members of one of predefined security groups.
I have a "hub and spoke" model for a single ASP.NET Core website, and several "spoke APIs" that are located in N other AzureAD tenants.
... which calls API Apps located in other tenants ...
My goal is to have this "hub" website use incremental consent with external partners that align with the scenario: Protected AzureAD API calling another Protected API. The key difference in my situation is that the second API is located in another tenant, managed by another administrator whom I don't know. (should I beware of dragons? If so what are they?)
Since I need to use the On-Behalf-Of flow to access these external websites, the website becomes a trusted client. The AAD samples include only Desktop and SPA trusted client apps for this scenario (sample1, sample2)
Question
Is this a supported scenario? (Tenants offering services to other Tenants)
What is the preferred way to share API Scopes, Permissions, and other GUID/Identifiers?
In the v2 Endpoint, are both Personal and AAD accounts supported?
How would I translate Tenant GUIDs for scopes and other contents in the app Manifest into a display name?
Is this a supported scenario? (Tenants offering services to other
Tenants)
Yes, this is supported. If you are have a webapi in A tenant(webapi A), and want to access webapi in B tenant(webapi B must be multi-tenant application), the webapi B must exist in A tenant under Enterprise applications(Someone in A tenant ever logged in webapi B).
In the v2 Endpoint, are both Personal and AAD accounts supported?
Yes, V2 endpoint supports both Personal and AAD accounts.
We are trying to integrate Azure AD B2C into a SPA. We want to include Roles in the ticket so that we can use AuthorizeRoles & IsInRole in the api. We have looked at a couple of examples.
Example 1
Example 2
The first example isn't a SPA and doesn't include roles. It is accepted that including membership & groups in the ticket using Azure AD B2C isn't supported as per below link.
Azure AD B2C Group Membership Feature Feedback
The workaround as suggested above seems to be to use the "OnAuthorizationCodeReceived" event as per below to inject/add your own Role claims to the ticket.
Workaround
The issue we have is that we are using a SPA so we need to follow example 2, we also need to be able to add our own manged roles into the ticket which isn't a supported feature but Microsoft have said there is a workaround as shown. The workaround however doesn't work with MSAL.js as in example 2.
How can we include our own managed Roles into the ticket using the MSAL.js library so we can integrate Azure AD B2C into our SPA enabling us to use AuthorizeRoles & IsInRole in the api?
A few things first, you mentioned you are using the MSAL.js library and this means the v2 endpoint. Currently (as of 05/16/2018), the v2 endpoint has limitations on roles and groups, see v2 limitations where it states:
The v2.0 endpoint does not support issuing role or group claims in ID tokens.
ID tokens are used in the implicit flow with the v2 endpoint, see here Azure AD v2 Spa Guided Setup and read about half way down under More Information
Bottom line is to be absolutely sure the v2 endpoint (and MSAL libraries) can support your requirements.
For myself, we ended up going with the v1 endpoint and ADAL libraries in part because of limitations like this. But here are some examples of using roles in code. Note that these repos are fairly new and I'm still building out the documentation. There are two repos, one an stand alone angularjs ui project and another is a set of APIs (they are demos I used at a codecamp presentation). Read on below about roles in AAD. Only the UI example uses the ADAL libraries (note: the ADAL and MSAL libraries are about managing the tokens in the clients and are not the libraries used for locking down the back ends).
APIs: https://github.com/BgRva/aad_adal_api_dn_std/tree/Step_C
UI: https://github.com/BgRva/aad_adal_ui_ng_js/tree/Step_C
Some notes about Roles in AAD:
Roles are application specific, so in the examples above, the same
roles have to be registered for all the applications that will use
them (this includes the role Id as well)
You can give multiple roles to a user in AAD, you just need to add them multiple times to that application with a different role selected.
Manually adding users to roles will not scale and requires lots of clicks in the portal. It can be easier managed with groups but only at the AAD Premium Level 2 do you get this benefit
Supposedly there is a way to programmatically add roles but I have not found anything about it
Cheers
I have the following services
Service1.SomeDomain.com
Service2.SomeDomain.com
Service3.SomeDomain.com
I have a Web application that has a client side script that will talk directly to each of the above services to retrieve information
Web.SomeDomain.com
I also have Native Mobile client applications which also will talk directly to each of the above services
Android
IOS
Windows/Windows Phone
Now this application will be a SaaS solution where customers can sign-up online create their own tenant and then create user accounts for there employees and add the employees to groups and change permissions of those groups.
Now i need a solution that a user can log on to a mobile application or Web and it be allowed to gain access to the above mentioned services depending on there groups permissions, but i want strong separation of each tenant
Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms.
The following should see you through:
Authentication scenarios supported by AAD (http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx): will answer questions like - how can my mobile app access my multi-tenant web api on behalf of the user, or how can my web app sign-in the user as well as receive a delegated token to access my web api
AAD integrated multi-tenant SAAS application sample (https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet): covers special techniques for multi-tenant apps
Authorization using group membership (https://azure.microsoft.com/en-us/documentation/articles/web-sites-authentication-authorization/): describes how you can perform authorization in your application per the group membership of users.
Enjoy.
Hope this helps.