I have a "hub and spoke" model for a single ASP.NET Core website, and several "spoke APIs" that are located in N other AzureAD tenants.
... which calls API Apps located in other tenants ...
My goal is to have this "hub" website use incremental consent with external partners that align with the scenario: Protected AzureAD API calling another Protected API. The key difference in my situation is that the second API is located in another tenant, managed by another administrator whom I don't know. (should I beware of dragons? If so what are they?)
Since I need to use the On-Behalf-Of flow to access these external websites, the website becomes a trusted client. The AAD samples include only Desktop and SPA trusted client apps for this scenario (sample1, sample2)
Question
Is this a supported scenario? (Tenants offering services to other Tenants)
What is the preferred way to share API Scopes, Permissions, and other GUID/Identifiers?
In the v2 Endpoint, are both Personal and AAD accounts supported?
How would I translate Tenant GUIDs for scopes and other contents in the app Manifest into a display name?
Is this a supported scenario? (Tenants offering services to other
Tenants)
Yes, this is supported. If you are have a webapi in A tenant(webapi A), and want to access webapi in B tenant(webapi B must be multi-tenant application), the webapi B must exist in A tenant under Enterprise applications(Someone in A tenant ever logged in webapi B).
In the v2 Endpoint, are both Personal and AAD accounts supported?
Yes, V2 endpoint supports both Personal and AAD accounts.
Related
I have a simple Azure App Service that exposes two REST endpoints. Is it possible to set up an authentication scheme so that each endpoint can only be accessed by a specific group of Azure AD users?
Endpoint A (HTTP/GET) <- Accessible by User Group A
Endpoint B (HTTP/POST) <- Accessible by User Group B
If not by configuration, is it possible to do this programmatically?
Thanks in advance.
The short answer: yes, that is possible.
The longer answer: this is not something that can be done with a single configuration setting or one line of code. The exact steps depend on the language you used to write the API.
In general, you need to add AAD authentication to the application. Make sure the token you're getting from AAD includes security groups in its claims. Then, add authorization based on the security groups in those claims.
For ASP.NET, here's are two great articles:
Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform
Add authorization using groups & group claims to an ASP.NET Core Web app that signs-in users with the Microsoft identity platform
Interesting links:
Microsoft Identity Platform
Microsoft Authentication Library (MSAL)
I've done some reading in regards to Azure AD, but I still can't wrap my head around it. The confusion might be there also because of how my company tries to standarize how a azure project should look like.
Imagine I have two things: SPA app (served by App Service) and API (on this App Service, ASP.NET). The approach that the company is suggesting is that both of those should have their App Registrations.
Now, I'd like the API to have access to Ms Graph. In order to do that, looking at other projects, I updated my AppRegistration to request for Ms Graph roles, Admin gave consent, and in API I used ConfidentialClient to reuse my Client Id/Secret to get token and then access MsGraph.
Why the hustle? Why not just use Managed Identity of my API and grant needed permissions using New-AzureAdServiceAppRoleAssignment?
Why do I need App Registration here? Do I need both? Should I access Ms Graph using my App Registration and confidential client in my API? How does my App Service relate to my App Registration in code?
Let's take a step back and define a few things that will make things easy to understand:
Your app service: this is just a compute environment, just as Azure Functions, Logic apps or VMs. This is where your code executes.
Azure AD App registration: this is an identity that you can use in your code to identify your service and get access to resources you need. The Azure AD app registration has several capabilities:
build an app in one tenant and used in multiple tenants (multi-tenant app)
consent framework, allowing you to request permissions and the owner to grant it
define roles and permissions, so that you can configure who is allowed to call your API
3-legged OAuth flows which allows you to act on behalf of the user
confidential client flows which allow the app to act on its own (like a service account)
Azure Managed Identities: this is also an identity that you can use to identify your service and get access to resources you need. It only has a subset of the capabilities of Azure AD app.
confidential client flow which allows the identity to act on its own (like a service account)
credentials managed for you by the platform
Depending on what you are trying to do, you can use one or the other identity: rarely if ever you will need both.
In your case, you need an identity to act on its own. So either app registration or managed identity will work. Your API may benefit from using an app registration if you want to define roles and permissions. The primary advantage of using an app registration in your scenario is that the consent model is simpler to use and understand. The disadvantage is that you need to manage credentials for the app. This pro/con is reversed when using a managed identity.
You don’t need both at a time. These are two ways to get the access of MS graph for your API. They are used for different purpose.
Managed Identity (Using System Identity)
· Use the Managed Identity if you don’t require your API to be authenticate from any provider.
· A managed identity from Azure Active Directory allows App Service to access resources through role-based access control (RBAC), without requiring app credentials
· It known as safe way to give your web app access to data is to use a system-assigned managed identity
· Currently, there's no option to assign any permissions(MS graph) through the Azure portal for Managed Identity
· When we do Manged Identity of any application its show only for Enterprise application.
Reference : Tutorial - Web app accesses Microsoft Graph as the app - Azure App Service | Microsoft Docs
App Registration.
· To set the authentication and authorization of your app from different provider its need your app registration id.
· It’s required to configure a service and get a token from the Microsoft identity platform endpoint that service can use to call Microsoft Graph under its own identity.
·In this using portal you can add permission (MS Graph) for your application.
Reference : https://learn.microsoft.com/en-us/graph/auth-v2-service
We are looking for Authentication methods for a Multi-Tenant SaaS application. We have been exploring Azure B2C but have not been able to provide suitable user to organization (Tenant) management.
We are exploring options like;
Microsoft's Azure AD B2C or an alternate service
B2C's Multi Tenant support to provide user/data segregation by Tenant (or Organization)
Environment;
We are using .Net Core 2 for the application and api's
We will have native phone applications that use the api's
Must use a common login service for all applications (Phones and Web)
What we need to do;
Authenticate Users
The first user for an Organization(Tenant) would;
create the organization
sent invitations to their organization's users
Subsequent users would take the invitation link
create an account joined to the organization using
Email/Username and Password
or connect a Social account to the invitation
or other services supplied by Azure AD B2C like another Azure AD
From the login service return a JWT Token
Needs to include the Organization to secure organization data
the JWT needs to be passed to child API's
Child API's will need to validate the token without external calls
Any ideas, sample applications or alternate products ideas are appreciated.
We did find http://identityserver.io/
A quick summary from their website;
The Open Source OpenID Connect and OAuth 2.0 framework for .NET.
IdentityServer is OpenID Certified and part of the .NET Foundation.
We are currently exploring this, and wanted to add this as a possible solution to the question.
my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.
I have the following services
Service1.SomeDomain.com
Service2.SomeDomain.com
Service3.SomeDomain.com
I have a Web application that has a client side script that will talk directly to each of the above services to retrieve information
Web.SomeDomain.com
I also have Native Mobile client applications which also will talk directly to each of the above services
Android
IOS
Windows/Windows Phone
Now this application will be a SaaS solution where customers can sign-up online create their own tenant and then create user accounts for there employees and add the employees to groups and change permissions of those groups.
Now i need a solution that a user can log on to a mobile application or Web and it be allowed to gain access to the above mentioned services depending on there groups permissions, but i want strong separation of each tenant
Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms.
The following should see you through:
Authentication scenarios supported by AAD (http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx): will answer questions like - how can my mobile app access my multi-tenant web api on behalf of the user, or how can my web app sign-in the user as well as receive a delegated token to access my web api
AAD integrated multi-tenant SAAS application sample (https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet): covers special techniques for multi-tenant apps
Authorization using group membership (https://azure.microsoft.com/en-us/documentation/articles/web-sites-authentication-authorization/): describes how you can perform authorization in your application per the group membership of users.
Enjoy.
Hope this helps.