Azure authentication issue - azure-ad-b2c

I have a blazor server-side application that uses Azure B2C authentication. Everything works well when I run it on my local machine. Now I deployed it as Azure App Service. The application url is redirected for authentication to https://mycompanyb2c.b2clogin.com/mycompanyb2c.onmicrosoft.com/b2c_1_myapp_signin/oauth2/v2.0/authorize... etc.
But immediately after that it is redirected to redirect uri (https://localhost:44333/signin-oidc). I don't know why this happens. What I did notice was a warning "You can use this application to authenticate against Azure Active Directory, but not Azure AD B2C". This surprises me, as I thought the app is under Azure AD B2C, and I can see it under Home/Azure AD B2C on Azure portal.
How can my issue be resolved?

Did you update the redirect URL in your json file?
Did you update the redirect URL in the app registration?
It looks like this is pointing to your local PC rather than the Azure App Service.
In terms of the message, is your app. one of these?

Related

Provide App service security in Azure solutions

I have a click once windows application which already has authentication n Authorization built in. Earlier i used to deploy it on physical server n share the location with users so that they can install it n use it. But now we have decided to deploy it on azure PAAS service (App service ). But currently url is geting access by anyone which i want to restrict. Currently my organization AD is not synced with Azure AD. So not able to use Azure AD for authentication.
Kindly provide some better solutions other than restricting users based on IP.
If it's a file download you can put it on Azure Blob storage for download and generate short-time SAS tokens.
While IP address restrictions and Azure AD authentication would be one-efficient approach for your scenario. Since you do not want to go that route (due to environment limitations), If you wish you could authenticate users with the specified provider (Microsoft Account, Facebook, Google, Twitter or Any OpenID Connect provider). App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code.
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. You can also use multiple sign-in providers.
So the simple process could be:
The option is Log in with . App Service redirects all anonymous requests to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized.
Kindly checkout step-step instructions on the process/workflow:
Configure your App Service or Azure Functions app to use Microsoft Account login
If your WebApp is on VNet, you can have service endpoints enabled for Microsoft.Web, through access restrictions.
See- Advanced usage of authentication and authorization in Azure App Service

Azure AD: How to redirect user to a specific page

I have a app hosted in Azure. Currently when a user is authenticated in Azure AD but does not have access to the application, a generic message appears suggesting the user should request access from an administrator.
Now how would I redirect the user to a specific URL when they get this page from Azure AD ? I see no way to configure this in Azure.
EDIT
A little more technical details :
My App is hosted in a serverless Azure App Service. It is an Angular application using msal.js to authenticate.
The App is manually configured in Azure AD using Application Registration tab.

How to secure azure pre-production web app

we want to use azure web apps not only for production but also for pre-production sites. These sites should be accessible only for Users in our Azure AD or even better only users with specific roles in the Azure AD. Or as a workaround some form of authentification without changing the code of the App. Since the App should be available public in some point of time.
At the moment these web servers are hosted in our internal network so they are only accessible through vpn or on site.
How can I secure a pre-production web app?
I tried the built in authentifcation with AD but I can't authorize a specific AD Role or AD Directory without changing the application it self.
What would be perfect for us would be a simple Basic Auth on the web app which I understand is also not possible without changing the App.
Anyone facing the same problem?
Maybe there is a design pattern for this? Or some Gateway to handle this?
Any hints would help,
Thanks
Stefan
Follow this article which shows how to configure Azure App Service to use Azure Active Directory (Azure AD) as an authentication provider.
Some best practices when setting up your app and authentication:
Give each App Service app its own permissions and consent.
Configure each App Service app with its own registration.
Avoid permission sharing between environments by using separate app
registrations for separate deployment slots. When testing new
code, this practice can help prevent issues from affecting the
production app.
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

IIS Windows Authentication using Federated Identities in Azure AD

I am trying to make Windows Authentication (with Kerberos/NTLM) work in a Web App hosted in IIS using Azure AD Federated users but seems it does not work. Below are the whole infrastructure details:
I have an Azure AD (e.g. skj.onmicrosoft.com) with Azure AD Domain Services Configured
I have an on premises Windows AD (e.g. skjtest.com) which is federated with the Azure AD. The on-prem users are available in AAD, SSO works but the password hash is not synced with AAD.
A VM is created in Azure and joined to the AAD Domain skj.onmicrosoft.com
I created a Web App which uses Windows Authentication and hosted in IIS present in the above Azure VM
When I try to login using an AAD user (e.g. aaduser1#skj.onmicrosoft.com) to the web app, it works all fine using both Kerberos and NTLM
However when I try to login using a federated identity (e.g. feduser1#skjtest.com), it fails showing a 401 Unauthorized Status code.
Here my question is, is this at all possible to make the Windows Auth (with Kerberos or NTLM) work with the Federated identities? If yes, please let me know the ways I can achieve this.

How to integrate On-Premweb application with Web app hosted on Azure (AAD authentication)?

What could be the ways to integrate a web application ( on-prem) to another web application (Azure) using azure AD authentication( happening in the background), with out the user being prompted for credentials.
It depends on how your on-premise application authenticated. Based on the description, you want to implement the single sign-on for the on-premise application with the application which protected by Azure AD.
In this scenario, you can deploy ADFS on-premise and make the on-premise web application authenticate by the ADFS. Then we need to enable the trust from the ADFS to Azure AD. After build the federated trust, when the users try to access the web application which protect by Azure AD will redirect to the ADFS, and if the users already authenticate the on-premise application they will not required to enter their credential again. Here is a figure to demonstrate this progress and you can refer more detail about it from this link.
And now, we can use Azure AD connect to integrate your on-premises directories with Azure Active Directory easily. You can refer the video on this link about different settings for this tool.

Resources