I'll try to make this as straight-forward as possible.
I have a ASP.NET Web API application running in Azure. I generate JWT tokens for callers, who authenticate with my service by sending in the equivalent of a username and password. Rather than managing my own membership database, I would like to utilize Azure Active Directory. I would then create users in AD.
My question is this: From a web application running in Azure, can I make a simple API call to Azure Active Directory with a username and password and get back a result indicating that the user exists in AD? If so, can you please point me in the right direction that will not eventually lead to a dead-end where I finally discover that it only will work for desktop applications, or some other contrived scenario.
Thanks in advance!
If my understanding is correct, you are looking for an APi so that you can check whether user exist in AD or not. For checking if user exist in Azure AD or not , you can simply use Azure Graph rest api:
for which you can find the reference here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api?redirectedfrom=MSDN
you can simply utilise the below query with right set of filter:
GET https://graph.windows.net/myorganization/users?api-version[&$filter]
Check this link for additional reference:
https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#GetUsers
https://forums.asp.net/t/2017251.aspx?Check+if+username+exist+in+Windows+Azure+Active+Directory+C+
Hope it helps.
Related
I am designing my first dev tool with the Azure SDK (JavaScript), and I am having a difficult time understanding how to authenticate users in production so the dev tool can access the user's Azure account. The tool is going to retrieve metrics from all of the user's Azure Functions in their tenant to display React component graphs based on those metrics over time. The app will be run locally with an npm run command.
My entry point for using Azure Identity in my app was this blog post (https://devblogs.microsoft.com/azure-sdk/authentication-and-the-azure-sdk/). I like the way the DefaultAzureCredential is working in development, using the tenant for whichever developer is running it by using the AzureCliCredential. I want a similar functionality for production, but for the browser instead of Azure Cli. In other words, if a user is already logged in to Azure Portal, it will get a credential for their tenant. How do I go about this?
One of the things I tried was opting into the Interactive Browser of the DefaultAzureCredential as described in that blog post. But even though, I could see the browser method in the src (https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/src/credentials/defaultAzureCredential.browser.ts), I couldn't figure how to opt into this when using the actual SDK. I couldn't find that method in the npm package in Azure Identity, and the documentation (https://learn.microsoft.com/en-us/javascript/api/#azure/identity/defaultazurecredentialoptions?view=azure-node-latest) didn't help me either. If this is the correct option for my use case, I would like to understand how to opt into it and use it.
Another thing I tried was implementing the InteractiveBrowserCredential. As long as I pass in a redirectUri with a port not already being used by my app, it did open another tab to tell me to login to the Azure Portal if I am not already logged in. This is exactly the user experience I would want in my app. However, after logging in the credential didn't actually do anything. The credential returned actually has a client Id equal to the application Id (04b07795-8ddb-461a-bbee-02f9e1bf7b46) of Azure CLI (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in) for some reason. This led me to look into the Interactive Browser Credential and find out that it is using the Authorization Code Flow (https://learn.microsoft.com/en-us/javascript/api/#azure/identity/interactivebrowsercredential?view=azure-node-latest). This flow doesn't seem right for my use case, since I have to register my app. I am not trying to grant users access to my app, but access to their own Azure account. Is InteractiveBrowserCredential what I should be using?
Next, I looked into all of the different authentication flows. None of them seem quite right for my use case though. The closest one I found was the client credentials flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow) since I am authenticating the user to their own Azure account and not my app. However, even this one doesn't seem quite right because when I looked up how to implement that flow with Azure Identity (https://github.com/Azure/azure-sdk-for-js/blob/main/documentation/using-azure-identity.md#clientsecretcredential-and-clientcertificatecredential) I found out that I have to pass in the tenant Id. But the app won't know the user's tenant Id of the user before they log in. Which flow is right for this use case?
It seems like there is a gap in my understanding. How can I use the Azure SDK to implement an authentication flow that authenticates the user to their own Azure tenant (not authenticates them to my app) through the browser?
Thank you ShwetaMathur for answering this question in Q & A. Posting the same here to help Stack Overflow community members.
To access your application by Azure AD users, your application should also need to register in Azure AD.
Once your application is register, you can acquire the access token based on different OAuth flows which is needed to call various resources(Users in your case) or protected API based on your scenario.
Azure Identity TokenCredential provide various flows to obtain an access token based on different scenarios.
InteractiveBrowserCredential is one way to launches the system default browser to interactively authenticate a user and obtain an access token.
Using access token, you can retrieve user’s info or access any other resource in Azure tenant. The InteractiveBrowserCredential uses Authorization Code Flow to authenticate users for browser based applications and to access resources further.
Client credential flow is OAuth flow commonly used for server-to-server interactions that usually run in the background, without immediate interaction with a user and help to acquire the token and call protected web APIs.
Complete reference
I need help determining how to integrate the Azure B2C authentication with the authorization within my app. I got the susi (sign up sign in) user flow working, but I need to do two things. First, I need to validate the alias to ensure no other such alias already exists and I need to add the user to my sql server database to ensure they are available for authorization processes (eg: users can allow other users to view/edit their resources).
I saw this video, which seems to cover what I want to do, but I think I could use some explanation. This article also seems to come close, but it is returning keys from a database as opposed to inserting into a database. That seems like minor change.
It seems like I need to replace the susi user flow with a B2C Identity Experience Framework policy, but I still want the other steps to be completed. I think I should download the susi policy and edit it and upload it to the IEF, but I am not sure.
I previously was trying to capture the events in a web app in the Startup.cs file when configuring the service during the OnTicketReceived event, like this, but this didn't cover mobile apps, so I think the IEF solves for this by including the steps in the flow.
I just want to confirm this is the right way to accomplish what I am looking to accomplish and seeing if anybody has any step by step examples.
It seems like it would be a good tutorial to show starting with a working susi user flow and editing it to add integration with an Azure Function.
Using IEF by calling the REST API will be the right way to accomplish your requirement. During the signup process, execute a restful technical profile which will call an REST API service there you can validate the user existance in your local DB and create the user in the database and proceed the registration process in B2C tenant.
Another approach would be after signing up the user can be created by the service and for the first call, service can insert a claim for itself with new database user Id.
There is a sample showing how to implement RBAC in B2C using security groups. If the role model is very simple, you could also consider attaching them directly to the user object as custom claim.
I would like to try out Microsoft GRAPH API. But as far as I can tell there is no way to test it without App Registration client and tenant id in the Azure Portal. Is this correct? I don't have access to App Registration on Azure so if this is correct then I need to contact admin, which means I need to start a whole long-winded process.
No, this is not possible, to access the graph api, (for a work or student account) there must be an app registration to give you permissions to those endpoints.
It is possible IFF you are just trying to do CRUD operations and other GET requests that doesn't require an admin consent.
You can check the same inside Graph Explorer, for the requests that require your/admin's consent.
You must also consider that the access token gets refreshed when you try to integrate it with any code.
The accepted answer is misleading. This is possible using the Microsoft Graph PowerShell SDK.
Currently I'm working on webapps and its VB code. I need to deploy it into Azure platform but I'm not sure about this 2 things. FYI, system that I developed don't have login page, which is based on current pc login username. So I retrieved current pc login username and check with my database whether current user allowed to use or not. When its in localhost, everything ok, I can retrieve username but when I deployed it to Azure it can't since I need to setup for Azure AD. But I'm a bit confused as my IT global ask me to do some codes to read from Azure AD. How to configure it with codes and also in Azure? Is there any difference between MSAL and SAML? Do I need to setup for both or should I just setup either one? I'm new in this so I don't know much of it. Hopefully someone can help me to solve it as I'm stuck for a month now. Thank you in advance.
P/S: My systems is in VBA codes, not in C# as I can see that many sample/example is in C# codes.
*Link with Azure AD and get user details like username/emails/etc once browse the webapps
SAML is a protocol used for authentication. A more contemporary protocol is OpenId Connect.
MSAL is a library that helps integrate your application with Azure AD.
I'd suggest you start with the Microsoft identity platform (Azure Active Directory for developers) and get yourself familiar with how to integrate your application successfully with Azure AD.
Some of the samples provided on that page teach how to make calls to Microsoft Graph, where you'd be able to get more details about the signed-in user.
I wanted to implement o365 authentication in my current project. my intention is to standardize/centralize the login of employee and the administrative staff of the portal using Microsoft O365 authentication.
I managed to test out some of the sample projects online and it seems a bit confusing cause there are different ways of authenticating.
My ideal implementation is something as the drawing below.
On the API gateway for employee front end portal, I wanted to implement a gateway to verify the Microsoft access_token passed and obtain the (sid / object_id) to cross check with my employee database for function access.
As for the Administrator front end portal, it will be responsible for sync-ing the users front Azure AD daily automatically or the admin trigger the sync manually.
What confuses me was there are several ways to obtain the access_token, some tokens managed to return the info i wanted but I'm not entirely sure if that is the correct implementation.
For the case of verifying and sync-ing users from azure AD, both accepting different access_token in order to get the data/information.
Anyone expert here mind to guide me to the correct path of implementing the design above if not correct the implementation ?