I have setup some B2C Custom policies that depend on an external web API (TOTP MFA and OIDC endpoints). This API is running as an app service in Azure and everything is working correctly.
Is there a way to configure the network access restrictions so that I can use the firewall to restrict calls that are not coming from Azure AD B2C based on IP address?
I would even except the ability to restrict IP addresses to only that of Azure resources. I don't want to expose this web API to the entire internet, but currently adding any IP restrictions to the app service prevents Azure B2C from being able to access the API.
Related
This is our setup so far.
1)On production, we are hosting static web pages through Azure storage account, we have configured it on Frontdoor with a custom DNS.
We have a requirement such that few of the static web page urls should ask for basic authentication on the browser.
We have configured this on Frontdoor rulesetup based on url pattern.
So far, this works fine.
2)Now, the main issue is with replicating the same setup for UAT purpose. Since its UAT, we cannot expose it globally. It should be accessible to only the people connected to office network, either directly or through vpn.
If we configure it in Frontdoor, we have the risk of exposure.
If we do not configure it in Frontdoor, we can't have basic auth setup feature which we setup through Frontdoor Ruleset.
We have explored WAF(security) policy on Frontdoor, but we do not have a specific range of IP addresses that can be configured in WAF custom ruleset.
• To block the frontdoor URL for office network without blocking the basic authentication setup feature for a few web pages on the static website URL, you should configure the conditional access policy for this purpose.
To configure the conditional access policy for all the Azure AD users connecting in your office network, you will have to ensure that you have Azure AD Premium P2 licenses available and the devices through which users are connecting to the office network are joined/registered with Azure AD.
Please refer to the below snapshots explaining the configuration of Azure AD conditional access policy for this purpose: -
Thus, in the above way, you can block the front door URL from being accessed by people in the office network. You can configure the named locations also in this policy accordingly to block the access from these locations based on trusted IP ranges, added layer of authentication and country based locations too as shown above.
For more information, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location
I have configured Onpremise app with Azure App proxy and SAML SSO.
I'm able to access the application using application user access url. I have assigned my organization Azure AD group to onpremise application, so all users in that group able to access application.
Now, I want to allow external users (gmail,hotmail,yahoo etc.) access to the application.
I have large list of external users, who needs access to the application.
How can I provide access to all external users for my application.
You could use Azure Active Directory - B2C. This allows external users to use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. Refer to the official documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview
I have a click once windows application which already has authentication n Authorization built in. Earlier i used to deploy it on physical server n share the location with users so that they can install it n use it. But now we have decided to deploy it on azure PAAS service (App service ). But currently url is geting access by anyone which i want to restrict. Currently my organization AD is not synced with Azure AD. So not able to use Azure AD for authentication.
Kindly provide some better solutions other than restricting users based on IP.
If it's a file download you can put it on Azure Blob storage for download and generate short-time SAS tokens.
While IP address restrictions and Azure AD authentication would be one-efficient approach for your scenario. Since you do not want to go that route (due to environment limitations), If you wish you could authenticate users with the specified provider (Microsoft Account, Facebook, Google, Twitter or Any OpenID Connect provider). App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code.
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. You can also use multiple sign-in providers.
So the simple process could be:
The option is Log in with . App Service redirects all anonymous requests to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized.
Kindly checkout step-step instructions on the process/workflow:
Configure your App Service or Azure Functions app to use Microsoft Account login
If your WebApp is on VNet, you can have service endpoints enabled for Microsoft.Web, through access restrictions.
See- Advanced usage of authentication and authorization in Azure App Service
I'd like to connect to an On-Prem API from an external cloud service using the Azure AD Application Proxy. I can connect and use the API by logging in with my Azure AD User in a browser, but would like a code-based-like login to use from my external service.
I've been digging through various articles the last couple of days, and it seems not possible without an Azure AD User interactive login. I am able to create an AD user for this service only if needed, but handling the interactive login from code or even through Postman seems troublesome.
Can someone point me in the right direction to solve this cloud-service to on-prem app solution? (unfortunately, I can't move the on-prem app to Azure).
EDIT: I'll be looking at using the pass-through option in the App registration, which means i need to handle the authentication and security in my API.
Perhaps you could consider using an on-premises data gateway instead, but it depends on where your external cloud service is hosted.
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install
Essentially, if your external cloud service is completely outside your environment and your control, the data gateway can still be used, then you can expose a Logic App as a facade that can integrate with the on-premises data gateway. The external cloud service can then call the logic app to trigger the request, which can be secured by other means e.g. SAS key.
What is Azure AD connect and Azure ADFS? This is what I have understood: Azure ADFS is exposing on premises AD to Azure cloud and Azure AD connect is means to do that. Am I right?
We need to build an application which needs to authenticate users from different clients' AD. They may or may not have exposed their AD to Azure. Can someone please guide how can this problem be solved?
Azure ADFS is exposing on premises AD to Azure cloud and Azure AD connect is means to do that.
AS of now, the way Azure ADFS works, it essentially provides a way for a company to use AD and ADFS services, without having to deploy themselves. Just like how a Azure has Azure Web App will allow you to have a web server without having your own.
Unfortunately, It does not actually connect or integrate or expose your on premise AD. If you want your clients authenticate against multiple IDs, you do it the old fashioned way, by connecting to the on-premises AD directly. You cannot actually route it through Azure.
One thing which you can do (this will be a huge endeavour) is to move the on premises AD to Azure cloud, which can be done using Azure VMs. Now, that would allow your client to get rid of their on premises AD and use the Azure cloud for everything.