Azure App Authentication - azure

I have created an Xamarin Android App with an Azure App Service back end. When I looked at securing the connection, I don't really care about individual users, but I want to make sure that only someone running my app can access the database. Is there a way to authenticate the app itself rather than individual users? What is the best practice in this scenario?

If you don't care about user, there are a few approaches and the security level may vary. If you want to simplify integration and deployment among Azure services, you should consider using Azure AD as an identity and access management in your entirely system. That said, your back-end and Xamarin app are authorized and authenticated via Azure AD. You need to register your native app in Azure AD which you can refer here https://learn.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-native-client
Another approach is to use certificate-based authorization against Azure Active Directory, which is more controlled and security rather than client secret. In this case, persons installing your app must also install certificate before sending request to Azure App Service and retrieve database from Azure SQL Database. The level of authorization is free of choice, but the first gateway is always Azure AD.

Related

Can an Azure App Service be tied to a client's external Azure AD?

We have written some code (I hesitate to use the term "application") in .NET Core using Visual Studio 2019. This concept is relatively simple; when a user opens a "proprietary" Excel workbook (an Excel file that calls our code) the code goes out to a hosted (by us) Azure SQL Managed database and returns data based on the parameters passed in by the user.
In Azure, we have a single production App Service plan with an App Service dedicated to each client (company). My question is about security: I'd like to tie each App Service to the related company's Azure AD. I do NOT want to create an account on my Azure AD for each user, although I can certainly do this through the "invitation" process using B2B. Can each App Service be "pointed" to a specific external instance of Azure AD so that only users from that company can access the related data?
Thanks.
You may use two different flows:
Each WebApp will authenticate users from only one specific Azure AD tenant
One WebApp will authenticate users from multiple Azure AD tenants
Both solution can be achieved with Azure AD multi-tenant authentication application pattern.
Here are steps you need to implement:
Update App registration to be multi-tenant
Update your code to send requests to /common
Update your code to handle multiple/single issuer values
Here is a picture that describes the flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Architecting token-based authentication for a three-tier application running on Azure

I am designing an application that will consist of:
SPA written in React, deployed to an instance of Azure App Service
REST API written in .Net Core Web API, deployed to another instance of Azure App Service
Azure SQL Database in the same Azure tenant as the app services above
All these resources will be connected to the same instance of Azure AD (also in the same tenant).
Conceptually, I suppose the authentication could work roughly like this:
The user connection to the SPA and obtains an auth token
The token would then be passed to the API and then the API will use that token to authenticate the user to the SQL Database (this seems possible)
However, I have not been able to find any walkthroughs or other documentation that would demonstrate this seemingly straightforward way of implementing authentication. Seems like this is a typical enough scenario for it to be widely documented by bloggers or Microsoft itself, so not being able to find it makes me wonder if I am not thinking about this right, or maybe I am not looking in the right places.
Can someone please help me figure out what is the right way to approach this and point me to some online resources that could guide me through this?
Thank you!
It's much more common for the REST API to use its Managed Service Identity to obtain a token for Azure SQL Database, and use that. It's always been rare for web apps to use the browser user's identity to connect to SQL Server.
See, eg: Tutorial: Secure Azure SQL Database connection from App Service using a managed identity

Authentication WebAPI service that will use Azure AD and Azure B2B

This isn't a specific problem question but a "cry for help".
My problem is this. Our organization is in the process of implementing Office365.
Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.
We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.
I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...
My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1
But create Provider for AzureAD. But then its still question about this B2B AD part.
Please help by pointing to some up to date resources..
You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.
Then you can administrate everything you want (e. g. which user has access to which application) within the Azure Active Directory blade from the Azure Portal.
You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.

How to implement SSO in azure developer service

We have an API, we planning to publish this API in the Azure marketplace under developer service. For authentication, we are planning to use developer service SSO (Single sign-on) in API. I googled this but can't find any useful link, please suggest some links
Azure AD B2C became generally available recently and it somehow offers what you are looking for. You can use local Azure identity and/or social account for your end users to authenticate with SSO support.
https://azure.microsoft.com/en-us/services/active-directory-b2c/
With that being said and although you can secure your Web API with AAD b2C as in this guide, your customers won't be able to call this WebAPI from their own applications as the calling app must be registered in the same Azure AD directory with the same application Id. This is a limitation that is mentioned here:
Note:
Azure AD B2C currently supports only web APIs that are accessed
by their own well-known clients. For instance, your complete app may
include an iOS app, an Android app, and a back-end web API. This
architecture is fully supported. Allowing a partner client, such as
another iOS app, to access the same web API is not currently
supported. All of the components of your complete app must share a
single application ID.
If the above limitation is OK with you, then you might also be interested in this Azure article to list your app in the Azure AD application gallery.

Azure mobile services - multiple azure active directories

We want to develop a mobile application which will be used by users in multiple organizations. Each of these organizations will have an Azure Active Directory tenant owned by them. We want to use Azure Mobile Services for authenticating users.
Once the user is authenticated and the mobile app has the JWT token, it will be subsequently sent to our API gateway to access various services.
Is is possible to use Azure mobile service Identity component in such a way that the app can authenticate against multiple Active Directory tenants? In other words can we create a multi-tenant mobile app which can authenticate against multiple Azure Active Directory tenants owned by different organizations?
Azure Active Directory does support development of multi-tenant web apps and there are sample applications available which demonstrates this capability. However is it possible to achieve the same functionality in a mobile app using Azure mobile services?
It is very much possible to build multi-tenant mobile apps backed by Azure Active Directory authentication. However, I doubt if Mobile Service will help here. Rather, I'll recommend creating a WebAPI project with AD authentication and consume those APIs in mobile apps. The samples that you've mentioned can be very much useful.

Resources