Azure portal does not match securing Blazor Webassembly - azure

I have only recently been tasked with writing some Business-type web applications, in the past many years I had mostly been working on SQL, services, and other non-client project -- so much of this is all new to me. I have had good success picking up and being productive with hosted Blazor WebAssembly. I need work through how to secure a Webassembly, so google lead me to:
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-5.0
While I was not very familiar with the Azure portal, the reference seemed quite detailed and I thought this would be straightforward. I tried walking through the steps to Register a server API app in an existing tenant:
Azure Active Directory > App Registrations, New Registrations -- check
Provide Name for the App -- check
Choose supported account types (accounts in this organizational directory) -- check
Leave Redirect URI options to web and don't specify a redirect URI -- check
Clear Permissions > Grant admin consent to openid and offline_access - NOPE, no option on this screen for this, I wonder if that setting has moved or if somehow I don't the permissions to see it.
Having no other choice to proceed, I select Register.
During a quick look, I could not find anything about openid and offline_access. Is it right under my nose, or no longer needed, is the documentation out of date, or is there an easier approach? I didn't proceed further, other than to tinker, to the client app registration as I felt the server registration was not valid. Are there any other bumps in the road on the client application registration as well?
Just for perspective, right now, I am content to just force a login verified against AAD.
Thanks for any help!

You are correct. There is no Permissions > Grant admin consent to openid and offline_access under normal AAD | App registrations.
But it indeed has this part under Azure AD B2C.
So I guess the document is not updated to synchronize with the Azure portal.
Don't worry about that. You can skip the step 5. After the Azure AD app is created successfully, you can assign and consent the openid and offline_access under Microsoft Graph permissions. Please note that don't forget to click on Grant admin consent for {your tenant}.

Related

Azure AD multi tenancy and multi tier consent

can someone explain the azure admin consent flow to me as either its not documented well, I cant read and comprehend or something else.
I have a web app that employs a web api in a home tenant
the web api is a permission on the web app
the web api has the web app client id as a knownclientapplication
if i login as a home tenant admin on the web app demanding scope of the web api, everything works as expected:
i am presented with an admin consent dialog INCLUDING the web api
i consent and all is hunky dory
if i login as a client tenant on the web app demanding scope of the web api - using the '/common' tenant, things arent so good:
i am presented with an admin consent dialog EXCLUDING the web api
when i consent, the enrollment ends in an AADSTS650051 stating I dont have access to a resource
this DOES make sense to me as the web api does not have a service principal in the customer tenant and therefore cannot access it, but when i read the documentation is suggests it should work this way. the terms start to blur for me as they are a bit ambiguous which is where I am not sure what I am supposed to do. source
i can make it work if i sign into the web api first as it will create the service prinicpal
then i can login into the web app where it now has access to the service prinicpal
but the documentation doesnt really explain this in the multi tier single tenant but suggests this in the multi tier multi tenant
Ive read it so many times all the words sound like noises now....
anybody ideas/confirmations/tips?
Documentation clearly states knownClientApplications is to be used for single tenant. Multi tenant setup requires 2 consent flows.
I think I found the answer - by accident and dated in 2017, so who knows, eh?
Apparently the knownclientapplications setting which enables multi tier consent only works in the same tenant.
When offering a multi tenant solution, you have to build a multi consent flow where you ask the admin to consent to the applications individually.
So my assumption was correct. Single tenant, good. Multi tenant, nope!
source

How to Integrate existing Azure AD B2C into a Xamarin forms app using MSAL?

I am kind of confused about the integration process, so I hope to get some clearer guidance in my case.
Let say there is an existing web application(Angular + .Net Core) and I am working on the mobile version(Xamarin.Forms) for it. The web side and mobile side will share the same API backend for user authentication and other services.
So there is an existing tenant and related information (tenantName, tenantID, AppID, RedirectURL, policies, etc), and the redirectURL is for authorizing (https://.../authorize).
At first I thought I can directly used this information. I tried on the code sample and just replaced tenantName, tenantID ... When I clicked Log In button, it first showed me this error:
And then it directed me to the Sign In page. Finally, I signed in the web application in the simulator.
I feel like I should register the mobile app under the same tenant. If I want to help current web users log in the mobile version, how to integrate the existing Azure B2C properly with it for the authentication? Any hits would be appreciated. Thanks in advance.
Update:
I stayed stuck in the token part. I already enabled implicit grant. I used the sample code and add scope in the sample:
When you Register a web application, you should pay attention to the content after step 9.
Once the application registration is complete, enable the implicit
grant flow:
In the left menu, under Manage, select Authentication.
Under Implicit grant, select both the Access tokens and ID tokens
check boxes.
Select Save.
Select the Access tokens will give you the access token.
Ok finally get the access token in the AuthenticationResult. This is how I dealt with it.
After we define a scope, we need to configured permission.
Go to the registered application and add it to the configured permissions list:
After that I can see the accessToken in the result when I debug.

Checking a user exists in Azure Active Directory B2C

I am creating a new Azure AD B2C authenticated site to replace an older Forms Authenticated one. In the new site, I am asking the user to initially enter their email address so I can check if they exist in Azure B2C and send them to the appropriate sign-in page and if not send them to the older Forms Authenticated site.
The issue is I have when following Microsoft's tutorials, is that they show user management but they all require you to have logged in with your Azure account first and obviously this is not possible given the system I am trying to build. Is what I am doing even possible?
Thanks in advance!
MS tutorials: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-code-samples/
Sadly, it seems like this is not possible within the Azure B2C Preview.
From the limitations section (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/) there is this paragraph which describes what I am trying to do:
Daemons / Server Side Applications
Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.
So it seems like this is currently not possible. Hopefully it'll work once it comes out of preview.
Be careful with this, check if your site is not vulnerable to username enumeration:
http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html
With the old users going to forms based authentication, you could call the Graph API to create the users in the B2C directory:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
Then the next time they can login through B2C

Azure Active Directory Login: Web App Permissions, User Consent not triggered

I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it’s working great.
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. However, the only thing that is missing is that during the login flow users aren’t being prompted to grant consent for the permissions, as it should happen from what I’ve read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent
I’m not sure what I’m missing. Apparently, from the docs,
After the user has signed in, Azure AD will determine if the user
needs to be shown a consent page. This determination is based on
whether the user (or their organization’s administrator) has already
granted the application consent. If consent has not already been
granted, Azure AD will prompt the user for consent and will display
the required permissions it needs to function. The set of permissions
that is displayed in the consent dialog are the same as what was
selected in the Permissions to other applications control in the Azure
Management Portal.
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don’t know how that happened.
I've attached the permissions I configured on the AAD App.
Any help would be appreciated.
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you would like to push the consent dialogue experience, there are a few different things you can do:
You can use query strings to prompt "consent" or "admin_consent" during login. Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
You can delete the service principal for your application from your tenant using AAD PowerShell. You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx
You can have a user from another tenant try to login to your multi-tenant application.
You can create your application under a non-admin account.
I hope this helps!
Shawn Tabrizi
Try this:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
Changing the resource parameter to https://graph.windows.net did the trick for me.
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. I understand that this is not a solution in your case, but at least it gives you a test case.

Azure Active Directory SSO - Account Mapping

iam currently researching how to implement Single Sign On for our WebService.
This is what i came up with so far.
If a customer of our WebService has an AzureActiveDirectory they can log on with their active directory user account to our WebService if we provide the nessecary interfaces for SAML, Oauth2, OpenID or whatever authorization protocoll we chose and azure supports.
The customers could also have their local network Active Directory synced to their Azure AD and use their Domain accounts to log on to our WebApplication.
Customers need to use the myapps.microsoft.com portal to "wrap" authentication.
Once everything is set up correctly the Identity Provider (AzureAD) would provide use with (e.g) an authenticated User Identity.
Here is were my problem begins.
Of course i need to somehow map the identity provided by the AzureAD to a certain Account for our WebService - we cannot simply use the provided identity.
As far as i understand it, you can grant AzureAD the right to create an Account on the target WebService in the name of the user which is currently signing in.
(Its called : enabling automatic user provisioning in the azure management portal).
However, when testing this with the Box, Canvas or Google apps i failed. Either i got an error or in the case of google apps i was just promted to login with my azure AD test account and then asked for a password and username of my google account (i set up SSO as an azure AD trust relation- so this should not happen)
Can someone provide some insights on how to accomplish the following?
Once the user is authenticated by SSO I want to create an account for our WebSerivce and then save the credentials for that user only in the Active directory of that particular user.
So if the user logs in the second time we can check wether there is an account already existing and log in the user with this account.
(I was told by microsoft that this might be possible with Azure Rights Management, but i cannot really find good documentation on that)
Storing the relationship: "Microsoft AD Identity <-> our WebServiceAccount Credentials" on our side is not desired because we cannot securly encrypt the data in a way that we DONT know whats in there. (or there is , and i dont know of it yet)
"Bonus Question":
Can i support SSO for a desktop application too? (Do i need a provide proxy web application or can the desktop app do this directly?)
Please see my answer to a similar question here: asp.net azure active directory user profile data
However - I'm trying to understand if you need something different. Are you expecting your customers to already have a directory and Azure AD accounts (maybe through having Office 365 subscriptions), and use those to sign in to your web app, or does your app scenario require creation/provisioning of user accounts into your customer's Azure AD directory? Provisioning can be done through graph API (as per your link), as long as the admin of your customer grants consent to allow your app to write to their directory. You can find some samples on github, and I recommend you look through https://msdn.microsoft.com/en-us/library/azure/dn499820.aspx and https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx for code samples.
HTHs,
I think, without testing it. That using the Graph API enables me to save custom data for any Directory User effectively enabling my desired functionality.
This is the documentation i found very usefull.
https://msdn.microsoft.com/en-us/library/hh974476.aspx

Resources