Cross Azure AD resources - azure

If there are 2 companies with different domains, one is companyA and the other is companyB, they both have an Azure AD, Azure AD B2C and backend mobile application (backendA and backendB).
There are existing front-end mobile App mobileA which can access backendA after Azure AD B2C authentication of companyA and mobileB access backendB after Azure AD B2C authentication of companyB.
For my case, I want mobileA call the api of backendB after authentication of Azure AD B2C of companyA. But after getting the token from companyA, how backendB check the token is valid?
Thanks!
lihoma

You can register backendB in companyA's tenant as an app.
The mobileA app can acquire a token for backendB from its own tenant.
Then backendB will need to add support for companyA's tokens in addition to supporting companyB's tokens.

Related

Azure AD SSO with 3-d party

I have an app that authenticates using OIDC to Azure AD. I configured the other app to share Azure AD accounts (SSO) so users can access that app with AD accounts using that App interface (The app is Citrix Sharefile). Sharefile has API and different SDKs (In my case .NET). I cannot figure out how to and if possible to exchange OIDC token to ShareFile token which is SAML

Azure Web API authorize token generated by Azure AD and Azure AD B2C

I have react native app which uses Azure AD B2C (as it is available outside our organization) and a backend admin SPA with Azure AD as it is only for our employees.
I have a node backend with provides api for both the app, now how to validate the tokens generated by AD B2C app and AD app.
One solution is to use Azure AD as external identity provider in Azure AD B2C and use Azure AD B2C app for the both RN external facing app and backend admin SPA, this will work, the issue being here is we will have employee information on both AD & AD B2C.
What is the right way of doing these kind of integration. Any help is greatly appreciated. Thanks
Handle it in the back-end side / API side. So essentially, in the API side, you have two or more ways of authenticating a user.
In the case of AD and AD B2C, it'll be like setting up two JWT auth providers.

does the azure App Service Authentication module suport azure aad b2c?

I have a UWP app that needs a backend. I want to use azure app service and need set an authentication for the background.
The App Service Authentication module can easily set and Authentication for the app.
I wish to use AAD B2C, but the App Service authentication module say that it does not support aad 2.0/msal. So, does the App Service Authentication module can support AAD B2C?
And, how can I verify the AAD B2C token signature on the webservice? Microsoft doc said can use some library to verify the AAD B2C token signature, can msal be used to Verify the AAD B2C token signature on a asp.net core web service?
does the App Service Authentication module can support AAD B2C?
Yes, App Service easy auth supports AAD B2C, you can configure it under Advanced management mode.
Set the Client ID to be the Application Client ID from Azure AD B2C tenant.
Set the Issue URL to be the Metadata Endpoint for the policy.
https://tonyb2ctest.b2clogin.com/tonyb2ctest.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_testsignupin
Note: don't forget to set the reply url in azure ad tenant application https://XXX.azurewebsites.net/.auth/login/aad/callback
how can I verify the AAD B2C token signature on the webservice?
Many open-source libraries are available for validating JWTs, it doesn't matter with Azure App service.

Azure AD B2C application vs Azure App Registration app

I don’t really understand the difference between Azure AD B2C Application and Azure App Registration Application.
I can see some of my Azure AD B2C applications in the Azure App Registration page, but the opposite is not true.
The good part of Azure App Registration is that you can request the Graph API if you have the right permissions and it’s not true for an Azure AD B2C Application.
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
But it seems to be not possible to be authenticated with Azure AD B2C with an Azure App Registration application.
Do you know if there is a possibly to have all-in-one ? An application which can authorize AAD B2C authentication and request the Graph API.
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration portal (ARP). The only app that may be visible is the 'b2c-extensions-app', which is a system application that B2C uses to store information about users. Likewise, the apps in the ARP portal should not be visible in the B2C portal.
Unfortunately it is not possible to have an "all-in-one" app at the moment. You should vote for the feature here.
Depending on your scenario, you could register an application in both the portals, and use the right one depending on the request you need to make.
1) Currently it is not possible to use the same app registration for both Microsoft Graph API and Azure AD B2C.
a. Azure AD B2C Apps must be registered using the Azure AD B2C blade in the Azure portal.
b. Graph API applications can be registered either at https://apps.dev.microsoft.com/ or by creating an application in your Azure Active Directory tenant (but not under the Azure AD B2C blade).
2) Graph API currently does not accept tokens issued by Azure AD B2C. This means you may need a separate micro-service that will authenticate with Microsoft Graph using the ClientId / ClientSecret of your Graph API Application Registration. The instructions in the documentation will have you configure “create, read and update permissions” for your Graph API app registration. (https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)

Adding Claims to a SAML token usign Azure AD Single SingOn

We have an application that uses multiple IDP for authentication. We receive a SAML token with some extra claims where we authenticate on. We also want to use Azure AD as a trusted IDP, but how can our customer add the required claims to their returned SAML token?
There is no option to add claims to the Azure AD generated SAML token. To do this you have to add your application to the Azure AD Application Gallery. For Azure AD premium user this can be done for your own applications that accept SAM.
For non Azure AD premium user you have to add your application to the Azure AD Gallery, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/.

Resources