I am the primary developer on a multi-tenant SaaS web application hosted in Microsoft Azure. We use Azure AD for all authentication. Because our application holds personal information, we and our customers want a way to restrict access to specific users. We just need a simple yes/no restriction in place so only assigned users may access the application. We've considered Application Roles, but it seems like a lot of overhead when the only needed option is "authorized".
While researching this, I came across the following "User assignment required" property in Azure AD.
User assignment required property in Azure Portal
After some testing, I found that it functioned exactly as we need it to. The customer has full control over which users may access the application, and neither party has to configure Application Roles. The only downside is that this property is configured on the customer's end. Is there a way for me, as the developer, to require this setting? Or perhaps a way to enable this setting by default?
Clarification: The end-goal is minimal configuration done by the customer. If "User assignment required" can be enabled by the developers (before customer registration), that would be ideal.
Basically you cannot specify it in advance, it is up to the customer's administrator to set up the requirement.
This is their concern, not your application's concern.
One possible way would be to set appRoleAssignmentRequired on the created Service Principal to true via a Graph API call.
But that will require quite privileged access, with their admin logged in.
Service Principal entity reference
Get SP by app Id
Related
I'm using Microsoft Graph API to access data from a variety of tenants' ADs. This is with a multitenanted Azure app hosted in my Azure tenancy. Authentication is handled using application level tokens and the client credentials flow; customer admins authorize the collection of data for their tenancy using OAuth. A customer is asking whether it's possible for me to restrict access to my Azure app based on location, so that our app dispenses tokens only to clients who are inside our data center.
It seems to me that this is not going to work. Microsoft recently added the possibility of conditional access based on workload identities; but are pretty clear that this only works for single-tenant apps, where the same tenancy hosts both the enterprise application and the app registration:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
Note
Policy can be applied to single tenant service principals that have
been registered in your tenant. Third party SaaS and multi-tenanted
apps are out of scope. Managed identities are not covered by policy.
But, I am not an expert and may be working on incorrect assumptions. Can anyone confirm or disconfirm what I have posted here? Is there some way I can provide what the customer is asking for?
As mentioned in the document that it is applicable only to the single tenants, If you want this feature to be available for the mutlti tenants as well you can raise a feature request for same here: https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform
Hello friends and thank you for taking the time to read my question and for all potential answers.
I am building a customer application which allows several proprietors (business owners) to log-in and manage their business. I don't want to focus on the details of the app as it is not relevant (I think) because this is more of a qualitative question.
I am using Azure AD (App Registrations) for both the Blazor WASM and API. I am comfortable creating and utilizing those. What I am trying to understand is how to not allow customers to see each other's data by using purely just Azure AD.
Example:
Customer User A from business X logs into the app. They are redirected to myapp.com/Business-X
The Roles I have right now in Azure AD are User.Read, User.ReadWrite and User.Admin
Customer User B from business Y logs into the app and is redirected to myapp.com/Business-Y
Nothing is preventing User A from changing their URL to myapp.com/Business-Y and have the same role in another business' app. I understand that I can change my Roles in Azure AD to be User.Read.X, User.ReadWrite.X, User.Admin.X, User.Read.Y, User.ReadWrite.Y, User.Admin.Y etc. but imagine if I have hundreds of customer's let's say, that is unmanageable and my blazor code will just be a mess.
Is there a better/smarter way to do this? For example I can keep the current simplified roles and add users to a database where I map them to the business they have access to but is that secure? I suspect using a database to store this does not sound right because it feels that Azure AD can do this and I just don't know how.
Thank you again!
• Yes, you can surely do restrict the users access to a particular application registered in Azure AD by ensuring these applications are also registered as ‘Enterprise Applications’ in Azure AD. Once, these applications are shown up in ‘Enterprise Applications’ in Azure AD, then you can configure them to require assignment for a particular set of users only by ensuring that the required users only have access to that application. To enable user assignment and assign users for that application in Azure AD, you should have ‘Global Administrator, Application Administrator or Cloud Administrator’ directory roles assigned to your ID.
Please find the snapshots below for more information in this regard: -
Also, once you have configured the above, you should ensure to create a custom role at the directory-level and assign it the required permissions as then this role would be assigned to all the users and these users then individually can be assigned to the required application, thus ensuring that only specific users are allowed to access the assigned app.
Please note that tenant wide admin consent is granted to apps that would require assignment. Kindly refer to the below link for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment
I am currently developing an Azure Web App, which uses the Microsoft identity platform. Everything works fine as a single- and multi-tenant application. I only have one big problem, where I did not find any good solution, or at least best practices.
I would like the application to support multiple tenants. This means that I definitely need a multi-tenant application. Anyways, this allows ALL Microsoft users to access my Web App, which I highly do not want. The business plan is as follows: Businesses buy the subscription/product and then gain access to the application (initially manually).
At first I thought that there might be some sort of setting in Azure to manually white-/blacklist certain tenants directly in the portal. I did not find anything regarding this, but maybe I missed it.
My second thought is, that I have to implement the logic in the server directly. This should not be a problem, but are there already any existing resources you can use, regarding this? My idea was that after/before each redirect to a page, the server checks the database, if the tenant is allowed to visit the page. If not, a redirect to a "You are not allowed to visit this page!" page should happen.
Did I miss anything major here? I am 100% certain, that this is a somewhat common use-case and therefore am baffled that I did not find anything relevant regarding this.
Single-tenant applications can be accessed only by users who have an organizational account in the same AAD where the application is registered. Multi-tenant applications can on the other hand be accessed by anyone who has a valid organizational account.
The first time you try to authenticate to a multi-tenant application it isn't registered with your organization's AAD. You have to trigger the consent flow which will allow the user to login with their organizational account and grant the application the necessary permissions.
One way to solve your problem is by restricting access to tenants in Azure Active Directory. Check this document for detailed information.
Another way is by setting up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C. Check this document for more information.
We have a multi-tenant single page app (and backend) that uses Azure AD for authenticating users. We'd like do queries to customer's Azure AD for retrieving groups but make it an opt-in behavior for customers (tenants). The reasoning behind that is that not all customers necessary need the functionality and would rather not grant us access to their AAD unnecessarily.
Is there some way of implementing this with Azure AD?
I've been trying to test with different OAuth /authorize calls with resource IDs and scopes but mostly I end up with "AADSTS65001: The user or administrator has not consented to use the application with ID ''. Send an interactive authorization request for this user and resource." error. Configuring the web app or backend to require the permission would surely fix the error but that will also make the approval of it mandatory for all users of the app.
Is there a way of using the authorize/consent API to request access to a new application on-demand?
An ugly work-around that should work would be to have 2 client IDs and 2 backend IDs with different permissions but ADAL.js doesn't seem to be designed to work with multiple Client IDs (it's singleton, for starters). Also Application Permissions should of course work but I'm not sure how much of those are required to search for groups.
Is there a way of using the authorize/consent API to request access to
a new application on-demand?
Do take a look at Azure AD v2.0. With their incremental & dynamic consent model, it is possible to do so though I am not sure if this specific functionality (managing groups) is available there.
I had a discussion with Azure AD team member recently about this (as we are also facing the same problem) and he suggested that we take a look at this.
Essentially the way things work in Azure AD v2.0 is that you start with basic set of permissions (like sign in, read profile etc.). Then when some tenant need specific permission, you essentially ask them to grant those permissions to your application at that time only. What this means is that different users in your application have granted different permissions to your application.
If you are using MSAL, and looking for a way to dynamically change your scopes before authenticating, have a look at this: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#msalguard---dynamic-auth-request
More here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#platformbrowserdynamic
We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.
The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.
Thanks.
Edit:
A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.
We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.
AAD does support roles / groups and you can administer them from the Azure Portal.
Howeve, these are not passed in the "canned" set of claims.
You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.
Update:
ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.
I assume your cloud app. runs in Azure?
Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.
Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.
So two options:
Customer does not have Azure tenant. They install ADFS and federate with AAD.
Customer's who do have Azure tenant use DirSync.
Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.
Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Hope that helps.
Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.
What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.