Is it possible to add custom claim to app manifest in Azure AD application registry?
I want to have one end point to manage sso for different apps on different tenats.
So, app should have claim with redirect url, and during user assigment admin should change it to the coresponding app.
This is not the way how you handle redirecting to different URLs. Also because you have to properly form the authorization request by indicating a redirect_url. And how you would know redirect uri, if you do not know who is coming to your site?
Please first read the Application and service principal objects in Azure AD document. It will explain you in details what is an application and what is service principal. And how the two relate. And what it is to be multi tenant application.
After you read the document, you understand now that can only have a single application object. It is also good to pay attention to the Integrating Applications with Azure AD and Multi tenant applications in Azure AD.
You cannot use custom claims to manage redirect uri, because even when you ere able to create a custom claim in app manifest, its value is based on a user property.
The way you should handle this, is to properly handle the admin consent. You could always require an admin consent and, when you handle the admin consent response to your main redirect uri in the form of:
GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=state=12345&admin_consent=True
you take a record of the tenant_id and ask the administrator for real redirect_id.
But, at the end of the day, you have to manage all redirect uris in your single app registration in your tenant. Are you sure you want to take that big expenditure. What does really make sense, is to offer a redirect uri which is subdomain of your application.
Thinking out a proper signup flow is really important part of a multi tenant application. Especially if you want custom domains per tenant.
The easiest would be to only have one domain for all tenant and simply redirect to them.
The other one - is to have your own custom signup flow where the user choses a subdomain in your domain and provides admin consent to fix that wish. After you receive the admin consent back (you have encoded the desired custom domain in the state parameter for example) you make the mapping between custom domain and tenant.
Related
I have created an API that is protected by OAuth using an app registration in Azure.
My app registration does not require assignment, but it exposes a number of roles that the underlying API verifies. To my understanding, this accomplishes almost the same thing as requiring approval.
So far I've only had user/group roles but now I've added an application role intended for integrators, and I want other application owners to be able to request permission to my API. I, as the API owner, would like to review these and either reject or consent to the request. E.g. I don't want everyone to be able to access my API within the tenant without my knowledge, just like all users/groups don't have access with me assigning them to a role.
The Role-based access control for application developers documentation makes it very clear who manages access:
...an application developer defines roles rather than authorizing individual users or groups. An administrator can then assign roles to different users and groups to control who has access to content and functionality.
However, if you create a role with allowed member types set to application, things are not quite as clear and it seems to behave more like a scope, where I give up any access management. Also from my limited understanding, a scope is used when the API needs to request data from the user (e.g. wanting to read their username), whereas a role is used for the application developer to control access to what they are developing.
This is what it looks like when I request access to my API from another app:
This same page mentions the following information:
The "Admin consent required" column shows the default value for an organization. However, user consent can be customized per permission, user, or app. This column may not reflect the value in your organization, or in organizations where this app will be used.
As well as:
Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process
However, from my reading, it sounds like this never gives me, as the API owner, any insight into who has access to the API I own. I want to control application access the same way I'd assign a group or user to a role in the enterprise application.
Can this be achieved when it's an application on the other end, not a user? If not, how would I allow applications to integrate in a controlled manner?
I want to explain the feature Azure ad provided to protect web api here.
As you know, we usually use a token in the request header to let the api check if the request had correct permission to visit the api. Such as if the request from an allowed user role, right? So to whole progress should be authentication and authorization. Users sign in first then try to generate an access token to visit an api. Azure AD has similar architecture.
If you had a web application(e.g. web mvc app) you can integrate Azure AD into it then you can allow users use their user1#xx.onmicrosoft.com account to sign in. If you had a web api project, you can also integrate Azure ad and add [Authorize] attribute above the controller so that the incoming request should contain a correct Bearer token which we call it access token.
For Azure AD, we usually have 2 options, verification scopes or app roles. That results from the different flows we used to generate the access token. For example, we use auth code flow to sign in users and generate access token containing scp claim which is granted delegated api permissions. And we use client credential flow to let an application to generate access token containg roles claim which representing it's granted application api permissions. In short, when we set [Authorize] + [RequiredScope(scopeRequiredByApi)] in the controller, it allows requests from a user(user sign in the app and call api), when we set [Authorize(Roles = "roleRequiredByApi")], it allows requests from the application(no user signed in and the app call api by itself).
Here scopeRequiredByApi and roleRequiredByApi is what you exposed and then added to App Registration > Permissions. Just like Integrator you marked in the screenshot, it can be recognized as roleRequiredByApi because its type is Application.
And I'm afraid the roles is not what you want but to be honest what I said is what AAD can do for you... And I think the document I mentioned above about verification scopes or app roles will be a good sample for you.
The App Registration > Permissions section has a great feature for reviewing and limiting the access provided for your app registration:
enter link description here
In addition you should always define the scope of your permissions and limit it to the least required for your app. eg. NEVER set scope at the subscription level! Always set it at the resource group or lower.
Also note that Microsoft now provides Defender for APIs and you can use Sentinel to monitor a lot of the activities related to your app registration. Always always enable logging wherever possible and configure some method of alerting/reporting so you can better understand the activities for your app.
I have been looking all around for documentation and information regarding Azure AD multi-tenant applications in regards to who is using my application.
In Azure AD, I created an app registration and chose 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'. I do not see any way to specify which tenants I do want to allow.
I am using Application Permissions which requires Admin Consent to use the app so a Global Administrator from each tenant would have to grant consent. However, I do not see any way to look into my app and see which tenant granted consent.
Background: I have built an application that does a user directory search across two tenants. Regardless who which user logins in from either tenant, they can search for users across both. I have App Registrations set up in both tenants with client secrets to get access tokens to search each directory.
Since my directory is hosting the app to log in, each tenant needs to grant admin consent to use the app. I am trying to make sure any other tenant outside of our two tenants cannot grant consent and use our app too.
Is there a way to restrict which tenant are allowed to use my app?
Is there a way to look into which tenant did allow my app?
If another org were to get ahold of my client id and grant consent, am I able to do anything to prevent them from using it?
Can I set up notifications if another org grants consent to my app?
Is there a way to restrict which tenant are allowed to use my app?
The only safe way to do this currently is in your app's code. If users are signing in to your app, you do this by verifying that the ID token's issuer corresponds to one of the tenants you do allow. If your app accepts access tokens (i.e. it's an API), you do the same with the access token.
Is there a way to look into which tenant did allow my app?
After the fact, no. If your app was the one that sent the user off to sign-in/consent, then after consent the browser will be sent back to the redirect URL, but there are several situations where consent/access is granted which would not result in that redirect. (Also, you don't want to rely on unprotected query parameters for something approaching access control, as a user count trivially intercept the redirect and change the parameter value.)
If another org were to get ahold of my client id and grant consent, am I able to do anything to prevent them from using it?
Generally speaking, no. In certain situations it's possible to reduce the likelihood of this happening, but if your app is configured as a multi-tenant app, you must assume users from any organization are be able to sign in to it. If you need to restrict which organizations actually so use the app, you need to enforce this in your app's code.
Can I set up notifications if another org grants consent to my app?
No, this isn't possible.
Is there a way to restrict which tenant are allowed to use my app?
You can restrict which tenant is allowed to use your app by specifying the list of tenants in the Restrict-Access-To-Tenants header
Is there a way to look into which tenant did allow my app?
If you want to know the list of tenants/users who have access to your app, you should be user of that particular tenant.
If another org were to get ahold of my client id and grant consent, am
I able to do anything to prevent them from using it?
You can restrict which tenant can have to access to your application by using Restrict-Access-To-Tenants header in your application
Can I set up notifications if another org grants consent to my app?
We cannot receive the notification if any other organization grants consent to your application
We want to use Azure AD as the Identity Provider for users in a web application. At the moment, we have everything set up using MSAL.js 2.0 with the Auth Code Flow, a custom scope, and access token which is used to authenticate requests towards our various backend services.
The issue is that our users want to be able to login with their own custom email addresses, instead of their login ids generated by AD and with the #onmicrosoft.com domain. For example, user1#some-orginization.com or user2#some-other-organization.
It would still be okay to accept the login ids as usernames as well, but surely there must be a way to allow users to use another property of the profile (their alternate email for example) to log in.
Our application is registered to AD such that it will allow only logins from one tenant, since we don't want to require users to already have existing Microsoft Accounts.
We're avoiding B2C because some users would face issues with their company policies, which would mean they could be invited as users, but would be rejected at login. Also, B2C does not really support Roles like B2B does, which is somewhat important for us.
Any guidance will be greatly appreciated.
EDIT:
After countless hours of attempting to make this work, I decided that it just isn't worth the effort, and switched to Auth0. They provide everything I could possibly want, and seemingly even better Azure AD integration to other tenants then Azure AD itself.
I think what you want to express is that you want to log in to your application with any email (including personal accounts and social accounts).
If so, then you need to modify the application's manifest configuration and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
I registered one existing .NET application in Azure AD enterprise application for SSO. When i access this application using external URL, it prompts me for Microsoft Sign-in. Is there a way to avoid Microsoft Sign-in page? In few online article, i found to pass "domain_hint" in sign-in URL. Let me know if there is as way to setup domain hint in sign-in URL while registering enterprise app.
You can enable true single sign-on through the process highlighted in this Microsoft document (published one week ago). You can use a domain-joined device so that the users can sign on silently and do not need to enter a username and password. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Please see the quick start guide as well. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
The way you make use of Domain_Hint will depend on a few details about your application -
What protocol you use to talk to your Azure AD?
Depending on the protocol, you'll need to pass the domain hint in the sign in URL for your application as shown below:
WS-Federation: whr=contoso.com in the query string.
SAML: Either a SAML authentication request that contains a domain
hint or a query string whr=contoso.com.
Open ID Connect: A query string domain_hint=contoso.com.
Whether your application is single-tenant or multi-tenant?
If it's single tenant, then it's simple - pass the domain hint for domain of one tenant that uses this application.
If it's multi tenant, then it needs to be conditional and you need to know the tenant before hand so you can pass the hint correctly to sign-in URL. For example, if the URL hit by each tenant is different, then that could help you.. Look at this part in the Microsoft documentation..
For example, the application "largeapp.com" might enable their
customers to access the application at a custom URL
"contoso.largeapp.com." The app might also include a domain hint to
contoso.com in the authentication request.
Here are the 2 best Microsoft documentation Links on this topic that I came across:
Domain Hints
Using Azure AD to land users on their custom login page from within your app
This is basically a follow up to my prev question - https://stackoverflow.com/a/44738654/2896495. I've implemented an Azure B2C sign up and auth in my web app (.NET Core 2.0) and now I want to add a custom sign up logic with Graph API (as described here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet).
But I'm confused about app registrations. For B2C auth I created an app in the Portal under Azure AD B2C -> Applications. Now, in order to use custom sign up logic I need another app registration under Portal -> App Registrations -> New Application Registration (where I can grant necessary permissions to Azure AD, like Read and Write directory data).
So, if I need auth AND custom sigh up, how should I set up my app? What's the right way of doing this?
For simplicity's sake, as well as a healthy separation of concerns, I would indeed make a separate app for the custom sign-up. It doesn't have to be a full-fledged app, a microservice that does the sign-ups for the main B2C app would be fine.
If you want to use the custom attribute to implement the custom sign up process, you need to register two apps as the document you mentioned in the post. One app is for integrating with Azure AD B2C for login, and the other is using the Azure AD Graph to query the custom attribute.
After that, you can using the Azure AD Graph REST to query the relative info and handle your own business logic in the web app. And to query the extension info, we just need to query the user info like below:
If you are just trying to have your own look and feel, as opposed to the default templates with your logos and other branding, then look into providing a template for UI customizations:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
Also, see this other answer to a similar question:
Azure AD B2C UI Customization
If you are trying for a whole different workflow, the you will want to create a custom policy.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Or if that does not work, then I guess you could just use the GraphApi, but that is the most laborious of options and completely destroys the entire purpose of using B2C in the first place. I do not recommend this approach.
Update:
I would not do everything you want to do in a custom policy. Separating the signup into it's own application/service would be a great approach (as #camsoper suggested), but only use the policies for the bare amount needed to create the initial account or authenticate an approved user. I've never used a policy to change the "accountActive" attribute, but I would be inclined to use the GraphApi to modify the user profile after the account is created by using the "NewAccount" attribute to key off. There is a "Block sign in" setting on a users profile in the azure portal which can be used to restrict access (and the signup application could set the default after the account is created), but I'm not sure if that corresponds to the "accountActive" attribute or not (yet).
Most of the administration you've described can be done in the azure portal, such as changing the "Block sign in" setting on a users profile can be used to restrict access (and the signup application could set the default after the account is created). If there is some capability that the portal does not offer, I would put that into a separate application. Avoid duplicating functionality in your customized admin app, and instead just redirect the admin to the users profile in "portal.azure.com".
https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/{objectId}
Note: there may be some issues with that URL template if the admin has access to more than one Directory for her account. It will try to pull up the directory that her account was created on by default.