I have been looking all around for documentation and information regarding Azure AD multi-tenant applications in regards to who is using my application.
In Azure AD, I created an app registration and chose 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'. I do not see any way to specify which tenants I do want to allow.
I am using Application Permissions which requires Admin Consent to use the app so a Global Administrator from each tenant would have to grant consent. However, I do not see any way to look into my app and see which tenant granted consent.
Background: I have built an application that does a user directory search across two tenants. Regardless who which user logins in from either tenant, they can search for users across both. I have App Registrations set up in both tenants with client secrets to get access tokens to search each directory.
Since my directory is hosting the app to log in, each tenant needs to grant admin consent to use the app. I am trying to make sure any other tenant outside of our two tenants cannot grant consent and use our app too.
Is there a way to restrict which tenant are allowed to use my app?
Is there a way to look into which tenant did allow my app?
If another org were to get ahold of my client id and grant consent, am I able to do anything to prevent them from using it?
Can I set up notifications if another org grants consent to my app?
Is there a way to restrict which tenant are allowed to use my app?
The only safe way to do this currently is in your app's code. If users are signing in to your app, you do this by verifying that the ID token's issuer corresponds to one of the tenants you do allow. If your app accepts access tokens (i.e. it's an API), you do the same with the access token.
Is there a way to look into which tenant did allow my app?
After the fact, no. If your app was the one that sent the user off to sign-in/consent, then after consent the browser will be sent back to the redirect URL, but there are several situations where consent/access is granted which would not result in that redirect. (Also, you don't want to rely on unprotected query parameters for something approaching access control, as a user count trivially intercept the redirect and change the parameter value.)
If another org were to get ahold of my client id and grant consent, am I able to do anything to prevent them from using it?
Generally speaking, no. In certain situations it's possible to reduce the likelihood of this happening, but if your app is configured as a multi-tenant app, you must assume users from any organization are be able to sign in to it. If you need to restrict which organizations actually so use the app, you need to enforce this in your app's code.
Can I set up notifications if another org grants consent to my app?
No, this isn't possible.
Is there a way to restrict which tenant are allowed to use my app?
You can restrict which tenant is allowed to use your app by specifying the list of tenants in the Restrict-Access-To-Tenants header
Is there a way to look into which tenant did allow my app?
If you want to know the list of tenants/users who have access to your app, you should be user of that particular tenant.
If another org were to get ahold of my client id and grant consent, am
I able to do anything to prevent them from using it?
You can restrict which tenant can have to access to your application by using Restrict-Access-To-Tenants header in your application
Can I set up notifications if another org grants consent to my app?
We cannot receive the notification if any other organization grants consent to your application
Related
I have created an API that is protected by OAuth using an app registration in Azure.
My app registration does not require assignment, but it exposes a number of roles that the underlying API verifies. To my understanding, this accomplishes almost the same thing as requiring approval.
So far I've only had user/group roles but now I've added an application role intended for integrators, and I want other application owners to be able to request permission to my API. I, as the API owner, would like to review these and either reject or consent to the request. E.g. I don't want everyone to be able to access my API within the tenant without my knowledge, just like all users/groups don't have access with me assigning them to a role.
The Role-based access control for application developers documentation makes it very clear who manages access:
...an application developer defines roles rather than authorizing individual users or groups. An administrator can then assign roles to different users and groups to control who has access to content and functionality.
However, if you create a role with allowed member types set to application, things are not quite as clear and it seems to behave more like a scope, where I give up any access management. Also from my limited understanding, a scope is used when the API needs to request data from the user (e.g. wanting to read their username), whereas a role is used for the application developer to control access to what they are developing.
This is what it looks like when I request access to my API from another app:
This same page mentions the following information:
The "Admin consent required" column shows the default value for an organization. However, user consent can be customized per permission, user, or app. This column may not reflect the value in your organization, or in organizations where this app will be used.
As well as:
Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process
However, from my reading, it sounds like this never gives me, as the API owner, any insight into who has access to the API I own. I want to control application access the same way I'd assign a group or user to a role in the enterprise application.
Can this be achieved when it's an application on the other end, not a user? If not, how would I allow applications to integrate in a controlled manner?
I want to explain the feature Azure ad provided to protect web api here.
As you know, we usually use a token in the request header to let the api check if the request had correct permission to visit the api. Such as if the request from an allowed user role, right? So to whole progress should be authentication and authorization. Users sign in first then try to generate an access token to visit an api. Azure AD has similar architecture.
If you had a web application(e.g. web mvc app) you can integrate Azure AD into it then you can allow users use their user1#xx.onmicrosoft.com account to sign in. If you had a web api project, you can also integrate Azure ad and add [Authorize] attribute above the controller so that the incoming request should contain a correct Bearer token which we call it access token.
For Azure AD, we usually have 2 options, verification scopes or app roles. That results from the different flows we used to generate the access token. For example, we use auth code flow to sign in users and generate access token containing scp claim which is granted delegated api permissions. And we use client credential flow to let an application to generate access token containg roles claim which representing it's granted application api permissions. In short, when we set [Authorize] + [RequiredScope(scopeRequiredByApi)] in the controller, it allows requests from a user(user sign in the app and call api), when we set [Authorize(Roles = "roleRequiredByApi")], it allows requests from the application(no user signed in and the app call api by itself).
Here scopeRequiredByApi and roleRequiredByApi is what you exposed and then added to App Registration > Permissions. Just like Integrator you marked in the screenshot, it can be recognized as roleRequiredByApi because its type is Application.
And I'm afraid the roles is not what you want but to be honest what I said is what AAD can do for you... And I think the document I mentioned above about verification scopes or app roles will be a good sample for you.
The App Registration > Permissions section has a great feature for reviewing and limiting the access provided for your app registration:
enter link description here
In addition you should always define the scope of your permissions and limit it to the least required for your app. eg. NEVER set scope at the subscription level! Always set it at the resource group or lower.
Also note that Microsoft now provides Defender for APIs and you can use Sentinel to monitor a lot of the activities related to your app registration. Always always enable logging wherever possible and configure some method of alerting/reporting so you can better understand the activities for your app.
We are currently building an headleass application (without front end). This app has to be run as deamon and need to update calander entries of user in different tenant.
We have our seperate Azure subscription where we have created a VM and hosting app. we have different Azure AD tenant thatn the target tenant. I was thinking of registrating the app in our tenant as multi-tenant app. But then I am not sure how it will authorise to change resurces in another tenant.
Or it is must for app to be registered in target tenant?
One of the most important thing is we dont want interactive admin consent flow, as we want everything to be an automatic process. None of the document explains the significance of tenant ID in authentication flow. Anybody knows anything ?
First, you need to create a multi-tenant application in the original tenant, and then grant the application the Calendars.ReadWrite application permission.
Next, run admin consent url in the browser, and then you need to log in with another tenant's administrator account and consent. The multi-tenant application will then be added to the target tenant as an enterprise application. https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}.
At the same time, the application will have the Calendars.ReadWrite application permission in the target tenant. Finally, you only need to use the client credential flow to obtain the token and then call the Update calendar api to change the calendar entry of another tenant.
Log into Azure B2C
Click Users
Select a user
Click Applications
I created users in my B2C tenant by logging into my website using various OAuth identity providers. So for any user selected using the above steps I expect to see at least one application listed - that being the one the user signed into when their user record was created in Azure.
When I perform the above steps I only see applications listed under my own user name. I created all the users I see in my tenant so I know there should be apps listed with each user name.
More formally stated my questions are:
Given an Azure AD Application, how do I get a list of users that are authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user is authorized to log into?
I would like to accomplish the above tasks using Azure portal - I don't want to write script. Also, my purpose in asking these questions is to be able to delete or disable users as needed.
Azure AD B2C does not hold a mapping of Users who signed into an App to a specific Application Registration. By default, all users are authorized to sign into your apps if you have OAuth IdPs configured against the AAD B2C policy that allows authentication to your App.
You can use the AAD B2C Sign In logs to see which users have been logging into what applications.
Assigning or not assigning Users to Apps in the Azure Portal does not enforce any authorization, this is an Azure AD only concept and doesnt apply to Azure AD B2C.
The process you followed(Users->select user->application) will only be able to see the applications listed under your tenant.
In the same manner when you choose an application and select the users/Groups you will only be able to see the users who have accessed your application.
Based on application/user->application you can remove the access from that application.
Regarding the
Given an Azure AD Application, how do I get a list of users that are
authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user
is authorized to log into?
The list of users/application authorized details are completely depend on the application consent flow.
Application developers can dictate what types of permissions are being requested and if they want to guide users through the user consent flow or the admin consent flow. If the application is provided with user consent flow based on the consent acceptance any user can access that particular application.
Admin consent flow is when an application developer directs users to the admin consent endpoint with the intent to record consent for the entire tenant. Application access grant to the requested data on behalf of the entire tenant.
For more details on the consent and permission please go through the document
We are working on WEB APIs and want to integrate Azure AD for AuthN and AuthZ. We have successfully integrated the same. We have created enterprise applications, custom roles, assigned users for the same.
Now we need to allow access to APIs with AWS like keys (Secret / Access keys). Individual user can generate their own keys and store those in Azure AD so that when those keys are used, user can be authenticated.
I didn't find any way to achieve this using Azure AD. Any suggestions around same are welcome.
Meanwhile I have gone through custom store for keys. Please refer link : https://www.codeproject.com/Articles/1228892/Securing-ASP-NET-CORE-Web-API-using-Custom-API-Key
Thanks in advance.
Azure AD authentication uses tokens.
So any app wishing to call your API must authenticate with AAD and acquire a token for the API.
If these users are making apps within your organisation, then they can register their app in your AAD and require access to your API. They will create and manage their own keys.
If on the other hand these users are making an app for another organisation, you'll have to make your API a multi-tenant app.
And you'll need to have an on-boarding page in your API through which you will redirect their admin/user to the AAD login page, where they will consent to any permissions your API requires.
After this a service principal is created in their tenant.
Then they can register their client apps and require access to your API.
They will have full control which permissions they want to assign to each app, what roles to give to users etc. But of course the tokens will contain their tenant id so you can filter access on that.
We are building a Web App/API to publish in our Azure AD and want to provide access to the app by inviting (B2B scenario) external users into our Azure AD. This will create accounts in our Azure AD of type "Guest" which we will use to assign permissions to the app. In this scenario, do we need to configure our application to be "multi-tenant"? There are steps to take inside the code to accommodate for multi-tenant sign-ins and there is a setting on the Settings tab of the App Registration in Azure AD that is labeled "Multi-tenanted" where you select either Yes or No. On the App Registration setting, there is a pop-out bubble that says:
Designates whether users in external organizations are allowed to grant your
app access to data in their organization's directory
I am not sure how (or if) the code changes and the app registration setting are related but our app will not need access to any data outside of our directory.
No your app does not need to be multi-tenanted and you do not need to direct users to the /common endpoint. I have tested this, and you still get a kind of SSO experience.
Example paul#org1.com (homed in Org1 AAD) is a guest user in Org2 AAD (invite has been accepted). Now this same user opens a private browser and logs in to Org1 AAD.
The user then tries to hit a web app with app registration in Org2, and web app redirects user to https://login.microsoftonline.com/org2.onmicrosoft.com/oauth2/authorize.
Result, user is considered logged in by AAD and gets redirected to the redirect_url with tokens, etc.