How to configure Azure AAD Connect to synch with OpenLDAP - azure

I am trying to set up AAD Connect to synchronise our in-house LDAP user directory with the Azure AAD. Documentation says to use AAD Connect, and that while Microsoft would (of course) prefer you have Active Directory locally to link to, it should also work with an SQL or LDAP backend, though the only instructions I can find are a year out of date. In any case, we are a linux house and do not have AD internally.
Possibly I need an older version of AAD Connect (1.1.649?) but am unable to find this anywhere.
Does anyone have any instructions on how we can configure AAD Connect to work with anything but a local Active Directory?
I have seen this blog posting, but it does not match the current AD Connect software. https://blog.kloud.com.au/2017/11/03/generic-ldap-connector-for-azure-ad-connect/

There is a trick to doing this.
Install local Active Directory
Install AADConnect linking to local AD and Azure AD
When install has completed, run the ADConnect Synchronisation Service (UIShell) configuration app
This then allows you to define an LDAP connector, and remove the unnecessary local AD one
Now you need to define rules using the Synchronisation Rules Editor to trigger updates, creates or deletes
Now you need to set up profiles in the Synchronisation Service for Full Import and for Sync on each source.
This is not trivial but there is more information here: https://learn.microsoft.com/en-us/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap
Don't run the install wizard as it only allows you to configure replication to a local AD, which is pointless as you can set up federation in this case.

An alternative, now available, is to install the AAD Domain Services object in Azure. This is, in effect, AD+ADConnect in a managed box, and will give you an LDAP endpoint to AD. You can then use LDAP replication of some sort to synchronise this with your local LDAP, or else use it directly for authnz.
Drawbacks are that is is, of course AD LDAP and has a strange structure; and the LDAP password synch only happens when the passwords are updated in AAD. And you cant extend the schema locally. However it may be enough if authentication and groups are all that is required.

Related

Local ASP Core 3.1 MVC App with Microsoft Authentication - Single Tenant or Multi Tenant

Some background, I am deploying a local ASP Core 3.1 MVC Application within our companies internal network. Currently working on it in a local dev environment, but will eventually run on a linux system where the URL is routed through our DNS server and given a nicer looking url than the plain IP Address. Our organization uses Azure AD and all our employees have microsoft accounts. I am trying to only allow logins via Microsoft accounts. I have followed the Quickstart guide within the Azure Portal, but am now getting the following error : "AADSTS50194 ... not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant"
The guides did not mention anything about configuring endpoints as far as I could see. I currently have it set to single tenant as it seems like it will only allow accounts that follow this format, employeesname#mycompany.com. The mycompany.com is the domain we own.
This app will service multiple users concurrently, but we only want our own employees to have access, no guests or exceptions.
Questions:
Is there a reason why I should use multi-tenancy, or is single-tenancy ok? If single tenancy, how do I go about configuring the endpoint?
I am new to 3.1 and the example project from Microsoft is 2.1 (I see where they seem to be configuring endpoints here, but not sure how to update this to 3.1)
So after moving back and forth between attempts in the Startup.cs file
services.AddAuthentication().AddMicrosoftAccount(microsoftOptions => {
microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ClientId"];
microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:ClientSecret"];
//microsoftOptions.CallbackPath = "/signin-microsoft";
});
I settled with the above. I changed to multi tenant because the more restrictive pages will be granted manually so if someone manages to login inside our network, with their personal MS account, it wont make much of a difference
just be sure to use this in your layout file (or any razor views):
#if (User.Identity.IsAuthenticated)
to see if a user has authenticated correctly

Node.js - Google Cloud application for production

I made a simple Node.js application that is using Google Cloud's Speech to Text API.
I could successfully authenticate locally, but how do I authenticate in production while keeping the credentials privates?
P.S. My application is not using any other server than Google's servers.
The credentials necessary for making client calls are based on a strategy called Application Default Credentials. These can be found through an environment variable called GOOGLE_APPLICATION_CREDENTIALS if the variable is present. If the the variable is not set, then the default credentials can be used. The following article provides detailed guidance on this topic:
Setting Up Authentication for Server to Server Production Applications
If your client is running outside of Google on your own premises (and hence not in a Compute Engine or GKE cluster) then the thinking will likely be that the credentials are contained in a file that is itself content protected by local OS access permissions. For example, contained in a file which has read permission restricted to either the user that runs your application or group that the user is a member of.
You need to be more specific to get more accurate answers
====================
OK, it's all about how you control the permission of your service account and there is a note in that page: "If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts."
You should use a specific service account needed to use this service. I don't have the particular role name(something like AutoML Viewer or Editor), and you need to test a minimum workable role in your Dev ENV.
After which, you can deploy your service into PROD and make sure the key with a 0400 file. So more or less the account can use limited service as expected

How to enforce Azure AD authentication on IIS server level

Is there any possibility to configure IIS server to enforce Azure Active Directory authentication in hosted application? I don't want to apply any changes to app's code, it would be great to provide this authentication only on server level/layer (configuration IIS). Is this even possible?
EDIT
I have situation like this:
Have many applications from a customers. Have Azure AD and users added there. I need to provide Azure AD authentication to these applications. Moreover, i shouldn't do anything with code of these applications so i thought that i can try to enforce authentication not on application level but on server level. I've been searching informations about possibility of this method but can't find any (only application scenarios supported by Azure AD https://azure.microsoft.com/pl-pl/documentation/articles/active-directory-authentication-scenarios/ ). The only thing i have found is Azure Multi-Factor Authentication but i don't think it is helpful.
We tried to find it, and all that i have found that there is no possibility to enforce AAD authenticatoin on the IIS level and that it should be set up on the application layer which is actually the only one recommended and described process on the sites and in the AAD-related articles. I would say, that it can be even hard from a technological standpoint.
Reference 1
Reference 2

DirSync a must for AD FS on Azure

Is DirSync a must for AD FS hosted on Azure Virtual Machines?
I keep reading Azure solution with DirSync. Is it absolutely impossible to federate directly without syncing active directory.
I am looking to implement Federated Web SSO on Azure, it would be a huge set back having to sync client Active Directories.
Yes, you will need DirSync for AD FS to function properly with Azure. What's the setback, specifically? The only real caveat I can find is a 300,000 object limit, not sure if that's per domain but it seems they're open to lifting the limit if you contact support.
If it's the setup you're concerned about, it's pretty basic. You will likely need clients to provision a VM, but that's not crazy talk or anything. Here's a few (short) TechNet articles to walk you through it:
Prepare for directory synchronization
Active directory synchronization
Install or upgrade the Directory Sync tool
Synchronize your directories

how to write a cloud-based Active directory .NET application

I work for a network management company and I want to write a .Net application (MVC 4) that will allow us to service Active Directory users from a cloud-based application.
As I have never written a cloud-based app, I don't know if I'm using that term correctly or not. I am in the requirements gathering stage. Basically, I'd like to provide our customers with the ability, for example, to change their own password using our cloud-based application.
is this an application that should be written specifically using Azure? If not, what tools and platform(s) should I take into consideration?
What tutorials or other resources are available ?
Actually, I don't even know enough about Active Directory and Cloud computing to ask the right questions. But, I hope someone will point me in the right direction
Read How to Authenticate Web Users with Windows Azure Active Directory Access Control. There are great walk-throughs there. There is more reading and code samples here - Access Control Service 2.0.
That's using ACS.
You could go direct to Azure Active Directory if you wished?
Refer: Adding Sign-On to Your Web Application Using Windows Azure AD.
If you use Office 365, you already have an AAD tenant.

Resources