Can someone describe to me the differences in registering Enterprise Applications via
Application Registration Portal (https://apps.dev.microsoft.com)
Azure Portal (https://portal.azure.com, Home -> Azure Active Directory -> Enterprise Applications)
Azure AAD Portal (https://aad.portal.azure.com)
Perhaps there are even others that you may know of.
The application registered in the Application Registration Portal is the v2.0 application, which supports both Azure AD & Microsoft Accounts. Works with MSAL & most 3rd party oAuth/OIDC libraries. Can call the Microsoft Graph, and your own web API with ID tokens. If you register an application using personal Microsoft account, the application won't be visible in Azure Active Directory. For more details, you can refer to here.
While the application registered in the Azure Portal is the v1.0 application, which only supports sign in with Azure AD accounts. Can call the Microsoft Graph, other Microsoft resources, your own web API. For more details, take a look at the doc.
There's a doc describe the difference between the two endpoints.
As far as I know, the application registration is almost the same in the Azure Portal and Azure AAD Portal.
Related
Using the ADFS activity report to migrate our applications to AAD. Everything shows as Ready.
But how do you import the ADFS configuration into a new enterprise application?
Or do you need to create everything from scratch?
You can find the image below for your reference, it shows the ‘Dropbox’ application as ready for migration from ADFS to Azure AD: -
Dropbox
• You don’t need to import ADFS configuration into a new Enterprise application for ‘Dropbox’ as its application federation configuration is already imported and made available for Azure AD users for smooth SSO authentication purposes in Enterprise application gallery. The image as posted by you regarding Dropbox application import into Azure from ADFS confirms that Dropbox is available for migration in Azure AD and its relative setup is a matter of few clicks and configurations.
• Also, the message in the image posted by you is only displayed for those applications that are readily available in Azure AD Enterprise applications and not legacy applications (applications that are not SaaS apps and need to be setup manually in Azure AD enterprise applications as a non-gallery app). When ADFS Health Connect communicates with Azure AD and syncs the relying party trust information from ADFS on-premises server, Azure AD compares it with the ready, available and Integrated SaaS applications in its gallery to be provisioned in the respective Azure AD tenant through the ‘create’ option. Similarly, when you do this provision/create ‘Dropbox’ SaaS application from Enterprise application gallery, it detects automatically through the ADFS Health Connect activity report that ‘Dropbox’ is configured as a federated RPT in the synced on-premises ADFS server and asks the user to migrate it to Azure AD.
For more detailed information on migrating Dropbox application from ADFS to Azure AD, please refer to the link below which discusses setting up of SSO authentication through SAML in Azure AD.
https://www.youtube.com/watch?v=OThlTA239lU
I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.
Im trying to start working with the v2.0 endpoint, I registered my web app in the new Application registration portal, but I cannot find it anywhere in my Azure AD. Should I not be able to see it there?
I tried creating an app both with my work azure account, and with an account I created specifically in the tenant. Neither works. Am I missing something?a
You could find it Azure Active Directory-->Enterprise applications-->All applications.
But you only could see Azure AD only applications. Currently, Converged applications could not see on Azure Portal, please refer to this feedback.
Update from comment:
The blade enterprise applications represents service principals in the AAD tenant, not applications. Once you sign into the app & consent or manually provision a service principal, you'll see it in this list.
When I create an application through Azure AD admin portal, when I go into "application registrations", I can manage authorizations for several APIs (Graph, SharePoint Online, Skype for Business Online, Power BI, OneNote...)
However, when I create an application using the Microsoft Application Registration Portal, it seems only possible to add Graph API authorizations (User.Read, etc.)
Is it possible to use Microsoft Application Registration Portal to manage application access for other APIs than Graph ?
The App Reg Portal is the portal for registering Azure AD v2.0 apps (combines Microsoft Accounts + Azure AD Accounts behind 1 endpoint). Right now, v2 does not support getting access tokens for web APIs other than graph.
The feature set on v2.0 will continue to expand and in parallel the portal expose these supported features (including other APIs other than graph).
We have an API, we planning to publish this API in the Azure marketplace under developer service. For authentication, we are planning to use developer service SSO (Single sign-on) in API. I googled this but can't find any useful link, please suggest some links
Azure AD B2C became generally available recently and it somehow offers what you are looking for. You can use local Azure identity and/or social account for your end users to authenticate with SSO support.
https://azure.microsoft.com/en-us/services/active-directory-b2c/
With that being said and although you can secure your Web API with AAD b2C as in this guide, your customers won't be able to call this WebAPI from their own applications as the calling app must be registered in the same Azure AD directory with the same application Id. This is a limitation that is mentioned here:
Note:
Azure AD B2C currently supports only web APIs that are accessed
by their own well-known clients. For instance, your complete app may
include an iOS app, an Android app, and a back-end web API. This
architecture is fully supported. Allowing a partner client, such as
another iOS app, to access the same web API is not currently
supported. All of the components of your complete app must share a
single application ID.
If the above limitation is OK with you, then you might also be interested in this Azure article to list your app in the Azure AD application gallery.