I have four Azure AppServices which are complete independent applications. I want to provide a kind of a portal that aggregates those four. When a user logs in he sees all applications he has access to depending on his scope. From the portal he can navigate to the other applications and do the user management stuff like adding new users and grant access to a specific application.
Is the picture above a good pattern to do it?
If I would start from scratch, what would be a better idea?
App services don't have access to different app's directories, so I do not think this is possible.
Your best bet might be to make a feature request to the product team on User Voice. https://feedback.azure.com/forums/169401-azure-active-directory
Related
I would like to understand if I can use Azure AD authentication for our enterprise application. Basically we have a service that manages component data for several thousand product teams in my company. The requirement is team A can only view their data. According to https://www.youtube.com/watch?v=59YwW8FrLm8, we can create custom roles in an Azure app and assign them to different client apps. My concern is that is there a limit on how many roles we can create in the app? We have several thousand product teams to support. Also, is there any performance impact on large number of custom roles in an app?
The bigger question is if we should utilize Azure OIDC to do this authorization. Is this something that we are better off writing our own authorization logic?
Confirmed that by default, it is 5000.
As explained here, you have to register your FHIR API with Azure AD in order to make calls to the API.
Azure AD is free for Single Sign-On for up to 10 apps: https://azure.microsoft.com/en-us/pricing/details/active-directory/
Q: Given a scenario where I have more than 10 FHIR APIs accessed through a single Web platform by multiple users, do I need to assign an account for each actor and pay $6 user/month(Premium P1)?
Or could I have a single account that is used to make calls to the APIs and authenticate the actors through another method? If you have hundreds of users it is pretty expensive to pay 6$ for each just for authentication.
Do I understand Azure AD correctly? Is there any other better method?
Answer: No. It's very likely you can get away with less than 10 app registrations without losing the ability to authorize each individual user. The only limit you should be worried about is the 500,000 object limit.
Explanation:
The concept of App Registration is well explained here, and I won't make an attempt to do a better job.
The key thing in the context of this question is that you can use the same App Registration with as many "applications" as you want. The only consequence is that you won't be able to assign different permissions to each of those applications.
From your question is not very clear what "10 APIs" mean.
In the simplest case, you have 10 different endpoints hosted under the same application, in which case the solution is trivial: use a single app registration with as many "app roles" as necessary to control access as granularly as you need/supported by FHIR.
Worst case, you have 10 applications hosted independently, in which case you can still use the app manifest to create as many app roles as necessary, most likely using some prefixing: app1_admin, app1_readonly, app2_readonly, etc. Then use those app roles to grant permissions to your endpoints.
See this documentation about how to create app roles in your app manifest.
A picture is worth more than a thousand words. This one should illustrate how you can use the same App Registration for as many applications as you wish.
I have a business requirement where Azure Subscription owner will Provision User Groups like Infrastructure Admin, Billing Admin, Enterprise Users. Ifra Admin people should login to this Portal & can only see options related to Infra provisioning. Billing Admin people should have access to Azure usage Enterprise wide - And they should be able to generate bills for respective teams(which are part of the organization). Enterprise Users are those who want to procure azure storage, VMs etc. and they want estimate cost for required infra.
I am looking out for a solution/approach for this requirement. If Azure Portal is already providing this feature then please provide me reference material. If i should build new custom Web application which internally use Azure APIs then let me know about that option as well.
If there are any products which already doing this even am open for that.
Deeply appreciating your help. Thanks a lot :)
Vishal.
Let me answer by breaking your question in 2 parts:
Managing Users - This is something you can do today in Azure. Some time ago, Azure announced Role-based access control (RBAC) and that fits the bill nicely for you as far as managing users and granting them permissions to do things. So in your scenario, the owner will create users and groups in Azure Active Directory and then put these users and groups in appropriate roles. When a user or a group member tries to manage the resources (either by logging into the portal or using other tools like Azure PowerShell Cmdlets), they will only be able to do things the role they are in allows.
Managing Billing - Though Azure Portal exposes the billing functionality (and there's a billing/usage REST API), it does not have the capability you're looking for. What you would need to do is look for ITFM (IT Financial Management) Systems that has support for Azure. Off the top of my head, two tools come to my mind - Cloudyn & Cloud Cruiser. You can learn more about it here: https://azure.microsoft.com/en-in/documentation/articles/billing-usage-rate-card-overview/. You could always consume the Billing/Usage REST API to create a solution of your own. If you're writing your own solution, you may want to check out Billing Samples on GitHub.
I know it is possible to add co-administrators to my subscription but I can't find any way to add a user space. I mean something that would allow users to see only their own storage and services created within the subscription.
I'm not worried about usage quotas but just would like to separate my users into distinct areas, so they don't interfere with each other.
Is there any way to do/achieve that?
Cheers,
Jacek
Currently in a subscription it is not possible to do so in Windows Azure. One possible solution would be to create separate subscription for each user and make them co-administrator on that subscription so that they will only see that subscription. This will obviously add more management headaches for you.
Again, not a fool-proof solution but when we were developing Azure Management Studio at Cerebrata (Disclosure - I was Founder of Cerebrata though now I'm not associated with it), we came up with something called Profiles. Basically what you do is put some resources (like storage accounts, cloud services etc.) and grant permissions on these resources in a profile and save that profile. You can then distribute this profile file to your user. When they run Azure Management Studio, they can load this profile file and will only see the things you included in that profile file. Again it is very specific to the tool only, is not as comprehensive as it does not include everything that Windows Azure offers and as and when you change storage credentials etc., you would need to regenerate that profile file.
No that is not possible.
The Co-Admins have complete control for the services in the account (non billing) as a whole and all the Services (Storage, Virtual Machine, Websites etc) are equally accessible to every administrator and co-administrator.
I'm developing an Windows Azure web application and I would like to understand if I should use Windows Azure Control Service (ACS) in my Architecture or not. So, my questions are:
Is the Windows Azure Control Service (ACS) a valid option to manage users?
I mean, should I consider it as an "Authentication System" for my application instead of implement my own database (using Membership for example)?
Well "valid" as in it works and is supported, yes! But I'd say the value is more as a way to map identities and claims presented from other identity providers - like Live, Google, etc. - to claims for your application to respond to.
You can certainly set up your own users via the ACS portal, but for a true membership system you want the user to be able to change passwords, profile information, etc. Much of that can be accomplished via the ACS Management REST API but I don't know of any higher level abstractions or framework that you might be able to leverage. It seems like it would be a LOT of work that isn't really a core part of your application.