Dear Microsoft Azure AD personnel, (and anyone else who has been down this road)
We are building a User Interface as a front-end to our back-end architecture in Azure, mainly comprised of Azure SQL databases, VM clusters, Azure Search indexes, and SFC's.
Users who will login to this UI will be both internal (company employees) and external (our clients). The internal users will log in to perform various functions for services we provide our clients. Our clients will log in to perform search queries on certain tables of our databases.
Where we are lost is in the area of trying to plan and execute our identity management architecture along the lines of permissions and policies.
For our internal users, we will have several different permissions profiles that need to be defined - for example, User 1 should be able to access and write information about client 1, but not client 2. User 2 should be able to access and write information about client 2 and client 3, but not client 1. That is just a simple example.
For our clients, thus far, we have set a up a B2C tenant to allow them to sign-up for access with their email address. While this part is simple and straight-forward, it seems the B2C functionality is rather limited in that there are only policies for signup/sign-in, password reset, and profile editing. We will eventually need to offer different levels of access permissions to our clients as well.
Here are my questions:
For our internal users, should we be using our domain Azure AD (B2E), or should we also use B2C for them so all users are under the B2C architecture?
Are these different kinds of permissions I've mentioned defined and set inside Active Directory settings, or coded into the Application?
Should we use B2C at all, given that we will need to give different permissions structures to different users within our clients? Should we be using B2E for our clients as well, even though they are customers and not internal users on our domain?
I've been reading Azure documentation and watching videos since end of last week and I'm still having trouble determining what's right for us for what we're trying to accomplish.
I am by no means an expert in Azure AD (either the most generic enterprise/domain, B2C, or B2B), but based on my reading and experiments:
1) You can funnel all users through AAD B2C, using AAD B2C custom policies to allow enterprise/domain AAD users to be connected to your AAD B2C directory; this means your application(s) only have to integrate with a single directory (AAD B2C);
2) None of the AAD flavors is really designed to do fine-grained permissions/authorization; you will probably need to handle this in your own code, or using some other feature/service.
Martin
Related
After investigating what Azure AD B2C can do, I'm not sure if it can do everything we need it to do through custom policies / we would have to make some compromises. I was thinking of still using it purely for authentication actions against our users: sign in or sign up - local & social media accounts, reset password etc.
However, we also want to collect more details about the user that they either provide at sign up or at a later date, and I'm finding the ability to edit profiles quite lacking.
Therefore I was thinking instead to create a bespoke dot net core or framework application which will act as a 'preference centre' that the user goes through. We will have much greater customisation o this, as we will not be limited to what Microsoft allow through custom policies. The user would either be passed through this application after signing in and before reaching one of our applications, or they can get to it from a link on our applications. All the data that is stored for the user will still be held in the Users section in our Azure AD B2C. Then the application will use the Graph API to query and update the data for the user.
Is this a sensible approach? Or can you recommend something else?
I'm wondering a few things about azure ad.
I currently have a little software with self users managed, in database, with custom properties, and access token self generation, etc.
In order to develop micro services, azure functions, and handle SSO the right way, i would like to migrate my users management to azure active directory, but i'm a bit lost with its features.
Is there a way to handle custom properties for users in azure ad ?
Users can be affected to one or many 'agencies', with some 'roles' in this affectation, such as 'agency supervisor', 'agency user' etc, which aad feature is the best designed for this ? Groups ? Roles ?
Is it a best practice to store custom business-related user properties in an associated database instead of aad ? (Maybe in order to migrate user management later ?)
I'm sorry for these questions but after a lot a research i'm still there.
Maybe some of you have great feedback or documentation for me.
Thank you !
There are two products, Azure Active Directory (AAD) and Azure B2C Active Directory. The first one is used within organizations, the latter can be used for multi-tenant situations where you let people from 'outside' your domain register with their own identity provider (other AAD, Oauth, etc).
Simply said, the AAD is for within the organization, Azure B2C AD is for external users.
The B2C AD features are a layer on top of the 'regular' AAD, so every feature in the AAD is available in B2C AAD as well.
Azure B2C was made with extensibility in mind, and you can (programmatically) add extra schema attributes to the users in your B2C Organization (such as companyId or other identifiers you use to differentiate in your product). We use a mixture of security groups for setting user 'roles', and we use custom claims with the extra schema attributes so I know what client a user belongs to (I'm working on a multi-tenant SaaS app).
If you are going to store a lot of information about the user that is LOB-application data, use a separate database to store that, as the (B2C) AAD is not a very good place to store large amount of (nested) data.
I'm hoping to use the Microsoft Identity Platform - Azure Active Directory - to manage authentication for my app.
I using the v2.0 endpoint.
I've registered my application in the new Application Registration Portal (apps.dev.microsoft.com), and it is now showing up in the main Azure portal under Azure Active Directory > App registrations
I need to restrict access to my application to certain organisations - I'm working on the assumption this means I need to allow access to a specific set of AD tenants.
In the application manifest, there's a signInAudience property, the options for which are AzureADMyOrg, AzureADMultipleOrgs and AzureADandPersonalMicrosoftAccount
AzureADMultipleOrgs sounds the closest to what I'm looking for, but so far it means anyone with an AD account can access my app.
I've come across documentation for an orgRestrictions property (https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/beta/resources/application.md) which sounds useful but it just says Reserved for future use
I assume this is a common use case e.g. only allow access to organisations that subscribe to your product, but I don't see a straightforward way to do it.
I assume this is a common use case e.g. only allow access to organisations that subscribe to your product, but I don't see a straightforward way to do it.
Yes it is, and most multi-tenant samples showcase this.
Currently there is no way to say that a given app should allow login from X and Y, so it'll have to allow all Azure AD tenants.
(though that is a feature that has been heavily requested)
Then after authentication, your app can check the tid claim.
You could for example check from a database if this tenant has a valid subscription.
If they don't, redirect them to an error page and don't log them in.
I'm quite new to all things MS/AD and coming from the app developer side of things so please bear with me if i'm not using the right terminology. I can't find confirmation in the online docs for this, so grateful for any ideas or links that could be helpful.
The scenario: my organization is a O365 shop and have a bunch of stuff in Azure. One project is a custom platform with several web apps. Most are accessed by our own folks via SSO, but some of these apps will be accessed by external users from our partners/vendors. A couple of these are MS shops but most are not and we can't require MS accounts.
The twist: we need to delegate user management to our partners/vendors. So as an example, for app3 we will have tons of partner/vendor organizations that need access. We want to give 1 person from that organization the responsibility of inviting their colleagues and removing folks when anyone leaves their organization. In many cases, they won't necessarily have the same email address domains so we can't restrict/group in that manner. In other cases, we need each national office of a global organization to have its own delegated admin to manage staff so there may be separate organizations with users that have the same email address domain.
My questions: Is Azure AD B2C the right approach for this?
Can it support this kind of delegated management (something like https://learn.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management)?
Would we need configure a separate Azure AD B2C directories for each external organization or should these be groups within one Azure AD B2C directory?
At this time there is no out-of-the-box support for user management delegation in Azure AD B2C, whether it's delegatin user management to other B2C admins using local (.onmicrosoft.com) accounts or external users using local (#myemail.com) or social accounts. Azure AD B2C does not support self-service group management capabilities either. You can request either of these in the Azure AD B2C feedback forum.
Is the same instance of these apps going to support people from these multiple organizations?
If the answer is no, meaning that your are going to have one instance of the app for organization A, and another for organization B, you can definitely have multiple Azure AD B2C directories and wire up each application to each directory.
If a single instance of these apps will need to support multiple of these organization, then I can think of two options for you:
Use Azure AD B2C and build all the delegation and user management logic yourself. You can have a custom attributes to assign users their "organization" and another to indicate whether they can manage users or not. You would then need to create a user management UI that queries the Graph for all users that are in the same "organization" and let the user manage those. You would also need to build the invitation feature, first into this UI by creating the user through Azure AD Graph and setting its "organization" claim accordingly, and then by directing users to the Password Reset policy as their "account verification" flow.
Use Azure AD and the B2B collaboration feature (including its ability to delegate invitations). This also opens up the self-service group management capabilities you referenced. If you don't want these users to get access to other things in your organization, you would probably want to create a separate Azure AD tenant for this and also invite people from your on Azure AD via B2B collaboration.
Conceptually, B2C is meant for external users, and Azure AD is meant for internal users, with B2B complementing those internal users with partners that collaborate enough with those internal users to be almost thought of as internal users. That being said, use whichever one best suits your needs. Don't forget to keep in mind that their pricing model is very different.
We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.
The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.
Thanks.
Edit:
A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.
We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.
AAD does support roles / groups and you can administer them from the Azure Portal.
Howeve, these are not passed in the "canned" set of claims.
You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.
Update:
ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.
I assume your cloud app. runs in Azure?
Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.
Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.
So two options:
Customer does not have Azure tenant. They install ADFS and federate with AAD.
Customer's who do have Azure tenant use DirSync.
Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.
Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Hope that helps.
Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.
What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.