I would like my asp.net web API application to automatically create AD account in my domain.
Which application pool identity should I use? Or maybe I could programmatically use the identity of the IT person, who uses this web application? If yes, then how to do it?
I am not sure what you mean by automatically, but you need to make the user object by code. The Identity the app is running under needs to have the right to make user objects under a specified OU. The code creates user objects in this spesified OU.
If the app runs under "<app-user>", this credential should be given the right to create objects under the "target OU". As a short-time test, you can give the user "Domain Admin" rights.
You can also test if the correct permissions has been granted by starting Active Directory Users and Computer or running a powershell script, with these credentials.
You should NOT use the credentials of a real IT person.
The code you need to create a user object in Active Directory you can easily find here on Stackoverflow.
Related
please, is here any way how to make relationship between applicaiton in Azure AD and User with client secret.
My use case. User ask for token with client secret(as deamon) and call my web api and a verify this token. Token is valid but there is no information about user who call it or who registered app. User gets token via API (https://learn.microsoft.com/en-gb/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token)
When user ask for token interactive everything is ok.
I tried to use a information about who created app, but Azure AD does not set it when user is administrator.
Is there any way how to use deamon which will be connected with some user?
Is there anywhere i can save this relationship in azure AD?
My idea, every user who wanted use my web api as deamon create his application and connect to mine web api, which use his app for verification. Relationship between app creator and user can be enough. but when i delete user and he has still client secret, he can access. I dont want to use his username and password because it will be saved on different computers and it is not save enough.
If you have more questions, dont hesitate to ask!
Thank you for any idea.
For scenarios, such as this one, your application should have an App Role with the allowedMemeberTypes having Application and as mentioned in the docs, this will show up as an application permission to other apps.
So the consumers of your API will have to add this application permission to their daemon app (which requires admin consent). This will trigger a flow internally that creates a Service Principal (like a user persona of the application) and adds that as a user to your application (you should be able to see it listed under Enterprise Applications > (Your API) > Users and Groups).
When you want to deny this daemon access to your API, you will just have to revoke the admin consent provided at first.
I believe you could even automate this process by using the Microsoft Graph APIs.
I have been working a while trying to find out how to connect multiple tenants to the same Azure APP to access graph. I end up using ConfidentialClientApplication because I have a daemon service which can't ask for authentication all the time, so tenant admin grants permissions once to my Azure app and I able to access tenant's data with MS Graph API.
I need help understanding whats wrong with the following scenario:
Consider we have 2 tenants: tenant1, tenant2. Both granted permissions to my app. But this means tenant2 can access tenant1's data by specifying tenant1 authority like https://login.microsoftonline.com/tenant1 and email. How to overcome this situation security-wise, should I use one azure app per customer, may be some other MSAL authentication flow for daemon apps? Totally confused.
If your customers can control the authority your daemon app uses, it sounds like you cannot use the approach of a single app with app permissions to all customer tenants.
This approach can be used when you have a multi-tenant app with a background process that runs in your infrastructure that the customer cannot control.
Either your app needs to talk to infrastructure that only you control, which then uses the app permissions, or you need separated applications.
An application would need to be created as a single-tenant app in each customer's AAD.
Either they do it, you do it, or you provide a script to do it.
Then they can enter those credentials into your app's config and start using it.
I have a client application which runs as daemon mode [no interfaces].
This daemon will speak to app created in Azure (single-tenant currently) to fetch users using O365 Graph API.
Authentication mechanism used is Auth2 certificate/thumbprint.
Permission to app is given directly by admin while creating app in azure itself.
Now i need to make this daemon (client) and app in azure as multi tenant.
Things i followed after reading some articles
Mark app as multi-tenant in azure
Point to /common in token url in client (which runs as daemon) https://login.microsoftonline.com/common/oauth2/token.
Questions:
After this i was able to get access token , but for any query i make i am getting error "The identity of the calling application could not be established".
Since there is no user intervention here , how do i give permission for tenant B app to access tenant A's data like users in my case ? Anything i can do in manifest file
If tenant B's app is accessing tenant's A data , should both app in azure be mutlitenant ?
Lot of articles explains how is the flow based on user login (user consent). But my client application runs as daemon. How do i give permission directly/mechanism in azure app for accessing other tenant's data ?
[Assume i am admin of both tenants and i have complete access to both tenant]
It isn't possible to use the common endpoint when using the client_credentials flow to log into the \OAuth2\token endpoint. This is because common is designed to identify the user's "home" directory and when they log in interactively they are redirected to sign into their home directory unless overwritten.
2 & 3. Tenant B doesn't get a registered application it only get an Enterprise Application. The linked Registered App would be the one is Tenant A, communication here isn't bi-directional. A has an Enterprise Application in A and an Enterprise Application in B. You set the permissions for all the Enterprise Applications using the Registered Application in A but an Admin/User -dependant on the permission type- will have to grant permissions in their respective tenant (A & B). When you log in as a user you utilise the Application Registration. In order to access B you will have to call the token endpoint containing B's tenant id.
To enable one application to be able to access multiple tenants you need to:
make the Application Multi-Tenanted. Make a note of the application's ApplicationId.
Using PowerShell log into the tenant you want to give the Application access to.
Use the Cmdlet New-AzureRmServicePrincipal -ApplicationId <ApplicationId> where is the one you noted earlier.
This will create a service principal in tenant B based on the application in Tenant A. The application in A when then be able to use the token endpoint for Tenant B to log in an access.
I'm trying to get information about Azure Active Directory groups using the Graph API, but I keep getting an "Authorization_RequestDenied" response.
This question is similar to Insufficient privileges error when trying to fetch signed in user's group membership using Azure AD Graph API, but that question's answer didn't work for me.
Here's what I've done:
Logged onto the Azure portal using my Microsoft account (e.g. example#hotmail.com)
Set up an Azure Active Directory instance for testing. The domain of the instance is something like examplehotmail247.onmicrosoft.com
Created a user (TestMember#examplehotmail247.onmicrosoft.com)
Created some groups, and made the user part of those groups
Created an ASP.NET application configured to authenticate to AAD using OpenID Connect.
Registered the application in AAD, created client secret, reply URL, etc.
Modified the manifest of the application in AAD so that group membership claims are returned.
The authentication part works fine. After the user logs on, I can see all the information I expect (name, ID, etc.), along with claims containing the IDs of all the groups the user belongs to.
So far, so good.
Now, I want to translate those group IDs to human-readable group names. For this, I'm using the Microsoft.Azure.ActiveDirectory.GraphClient NuGet package, which provides a GetObjectsByObjectIdsAsync method. This method seems to be a wrapper for the getObjectsByObjectIds REST method.
To try and get this working, I've done the following:
In the Azure portal, I've granted the "Sign in and read user profile" and "Read directory data" permissions to my application.
Logged in to my ASP.NET application at least once using my Microsoft account
What I see: When I log in to my ASP.NET application using my Microsoft account, everything works. However, when I log in using the AAD account I created (TestMember#examplehotmail247.onmicrosoft.com), it fails with the following error:
[DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"1234e0bb-3144-4494-a5fb-12a937147bcf","date":"2016-12-06T18:39:13"}}]
System.Data.Services.Client.BaseAsyncResult.EndExecute(Object source, String method, IAsyncResult asyncResult) +919
System.Data.Services.Client.QueryResult.EndExecuteQuery(Object source, String method, IAsyncResult asyncResult) +116
Trying the equivalent query using the REST api directly (i.e. taking ASP.NET out of the picture) gives the same result.
So what am I missing here?
Update: I also granted the application the following delegated permissions (to Windows Azure Active Directory): Sign in and read user profile, Read directory data, Access the directory as the signed-in user. However, it didn't make any difference.
Update #2: I even made the TestMember#examplehotmail247.onmicrosoft.com a Global Administrator for the AAD instance, and it still didn't help.
Update #3: Ok, so first, some clarification. After a user logs on, my ASP.NET app gets an authorization code from the OpenID Connect flow. Once I get the code, I'm exchanging it for an access token using AcquireTokenByAuthorizationCodeAsync. The access token is tied to the user, and so I want to rely on delegated permissions, not application permissions.
The problem was that although the proper delegated permissions were granted to my ASP.NET app in the Azure portal, the user never had an opportunity to consent to them.
I started over by creating a completely new app registration in azure for my ASP.NET app, and here's what I found: When a user logs on for the first time, they are asked for consent to whatever delegated permissions are required. However, if I change which delegated permissions are required after they've logged on for the first time, the user is not asked for consent (for the newly-required permissions) the next time he logs on.
This is definitely not what I expected, so I'm going to open a new question about this.
iam currently researching how to implement Single Sign On for our WebService.
This is what i came up with so far.
If a customer of our WebService has an AzureActiveDirectory they can log on with their active directory user account to our WebService if we provide the nessecary interfaces for SAML, Oauth2, OpenID or whatever authorization protocoll we chose and azure supports.
The customers could also have their local network Active Directory synced to their Azure AD and use their Domain accounts to log on to our WebApplication.
Customers need to use the myapps.microsoft.com portal to "wrap" authentication.
Once everything is set up correctly the Identity Provider (AzureAD) would provide use with (e.g) an authenticated User Identity.
Here is were my problem begins.
Of course i need to somehow map the identity provided by the AzureAD to a certain Account for our WebService - we cannot simply use the provided identity.
As far as i understand it, you can grant AzureAD the right to create an Account on the target WebService in the name of the user which is currently signing in.
(Its called : enabling automatic user provisioning in the azure management portal).
However, when testing this with the Box, Canvas or Google apps i failed. Either i got an error or in the case of google apps i was just promted to login with my azure AD test account and then asked for a password and username of my google account (i set up SSO as an azure AD trust relation- so this should not happen)
Can someone provide some insights on how to accomplish the following?
Once the user is authenticated by SSO I want to create an account for our WebSerivce and then save the credentials for that user only in the Active directory of that particular user.
So if the user logs in the second time we can check wether there is an account already existing and log in the user with this account.
(I was told by microsoft that this might be possible with Azure Rights Management, but i cannot really find good documentation on that)
Storing the relationship: "Microsoft AD Identity <-> our WebServiceAccount Credentials" on our side is not desired because we cannot securly encrypt the data in a way that we DONT know whats in there. (or there is , and i dont know of it yet)
"Bonus Question":
Can i support SSO for a desktop application too? (Do i need a provide proxy web application or can the desktop app do this directly?)
Please see my answer to a similar question here: asp.net azure active directory user profile data
However - I'm trying to understand if you need something different. Are you expecting your customers to already have a directory and Azure AD accounts (maybe through having Office 365 subscriptions), and use those to sign in to your web app, or does your app scenario require creation/provisioning of user accounts into your customer's Azure AD directory? Provisioning can be done through graph API (as per your link), as long as the admin of your customer grants consent to allow your app to write to their directory. You can find some samples on github, and I recommend you look through https://msdn.microsoft.com/en-us/library/azure/dn499820.aspx and https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx for code samples.
HTHs,
I think, without testing it. That using the Graph API enables me to save custom data for any Directory User effectively enabling my desired functionality.
This is the documentation i found very usefull.
https://msdn.microsoft.com/en-us/library/hh974476.aspx