Is there a way (either in the portal or otherwise) to restrict access to policies? For example, I can specify what sign-in policy I want to use in my application (say, only Google and Internal logins) but if a developer changes the policy value in the application to call a different policy that allows Facebook logins (which we don't want but the policy does exist in the portal), how can we enforce security on this situation? Is there a way we can restrict access to policies for only applications that are allowed to access them?
Related
I have been looking all around for documentation and information regarding Azure AD multi-tenant applications in regards to who is using my application.
In Azure AD, I created an app registration and chose 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'. I do not see any way to specify which tenants I do want to allow.
I am using Application Permissions which requires Admin Consent to use the app so a Global Administrator from each tenant would have to grant consent. However, I do not see any way to look into my app and see which tenant granted consent.
Background: I have built an application that does a user directory search across two tenants. Regardless who which user logins in from either tenant, they can search for users across both. I have App Registrations set up in both tenants with client secrets to get access tokens to search each directory.
Since my directory is hosting the app to log in, each tenant needs to grant admin consent to use the app. I am trying to make sure any other tenant outside of our two tenants cannot grant consent and use our app too.
Is there a way to restrict which tenant are allowed to use my app?
Is there a way to look into which tenant did allow my app?
If another org were to get ahold of my client id and grant consent, am I able to do anything to prevent them from using it?
Can I set up notifications if another org grants consent to my app?
Is there a way to restrict which tenant are allowed to use my app?
The only safe way to do this currently is in your app's code. If users are signing in to your app, you do this by verifying that the ID token's issuer corresponds to one of the tenants you do allow. If your app accepts access tokens (i.e. it's an API), you do the same with the access token.
Is there a way to look into which tenant did allow my app?
After the fact, no. If your app was the one that sent the user off to sign-in/consent, then after consent the browser will be sent back to the redirect URL, but there are several situations where consent/access is granted which would not result in that redirect. (Also, you don't want to rely on unprotected query parameters for something approaching access control, as a user count trivially intercept the redirect and change the parameter value.)
If another org were to get ahold of my client id and grant consent, am I able to do anything to prevent them from using it?
Generally speaking, no. In certain situations it's possible to reduce the likelihood of this happening, but if your app is configured as a multi-tenant app, you must assume users from any organization are be able to sign in to it. If you need to restrict which organizations actually so use the app, you need to enforce this in your app's code.
Can I set up notifications if another org grants consent to my app?
No, this isn't possible.
Is there a way to restrict which tenant are allowed to use my app?
You can restrict which tenant is allowed to use your app by specifying the list of tenants in the Restrict-Access-To-Tenants header
Is there a way to look into which tenant did allow my app?
If you want to know the list of tenants/users who have access to your app, you should be user of that particular tenant.
If another org were to get ahold of my client id and grant consent, am
I able to do anything to prevent them from using it?
You can restrict which tenant can have to access to your application by using Restrict-Access-To-Tenants header in your application
Can I set up notifications if another org grants consent to my app?
We cannot receive the notification if any other organization grants consent to your application
I have created Azure B2C Sign-In and Sing-Up policy as Built-In policy. Where i need to collect User First Name, Last Name and Country information.
Above built-in policy support below two identity provider login..
We need Country attribute information only when local User sign-up very first time. But as we have made Country as mandatory attribute, so it is coming for Azure AD user as well when they login very first time and we don't want to collect any country information for Azure AD users login.
How can we handle this scenario that within Single Built-In policy handle mandatory attribute differently.
Not able to get any thought though whether this will work using custom policy or not. Because User needs to login either sign-in/Up over login page by using above two Identity Providers.
For multiple applications. we are using AAD B2C for our authentication system.
We have opted for custom policies. One of the reasons for this is that we want to allow different user groups to access different applications, in the following way:
superusers can access all Applications, including our CMS
product admins can access the customer facing CMS and the end product
product users can access the end product
For this, we have the policies:
B2C_1A_xxx_cms
B2C_1a_xxx_product
B2C_1A_xxx_customercms
In all policies, we do an API call to an internal authentication API, which validates the user's group memberships throught MS Graph API.
The problem is that these policies seem to be able to be used interchangibly:
https://{tenant}.b2clogin.com/{tenant}/b2c_1a_xxx_cms/oauth2/v2.0/authorize?response_type=id_token&scope={scope}%20openid%20profile&client_id={client_id}&redirect_uri={redirect_uri}&nonce={nonce}&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4&client-request-id={client-request-id}&response_mode=fragment
In the above url, users can access the CMS by replacing b2c_1a_xxx_cms with b2c_1a_xxx_product, thus bypassing the group-based validation in place for the specific application.
The original implementation of our policies are based on this tutorial:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started
How can we configure these policies in such a way that changing the URL and trying to log in is impossible?
Based on your requirement, I think you need a the application assignment to users feature.
But it is only available in Azure AD rather than Azure B2C.
So I suggest that you use custom attribute to control the access of the user for different applications.
“ we do an API call to an internal authentication API, which validates the user's group memberships throught MS Graph API. ”
When User A calls Policy B, this API should return back a claim into the journey that prevents it from issuing a JWT. That can be achieved by creating a “block page” using a self asserted technical profile. Call this from the orchestration step using this claim from the API to trigger it with a precondition.
Are Azure's RBAC tools and capabilities appropriate for delineating and enforcing app-specific user permissions?
What I've been seeing is that Azure's RBAC capabilities seem to involve managing Azure resources: BLOB services, storage accounts, app services, etc.
But what I don't see are examples of Azure RBAC being used to manage app- (or domain-) specific permissions, like "Allow the user to approve purchasing this widget" or "Allow user to categorize these items as Foo, Bar, or Baz", or "Allow the user to view financial data only from these company divisions".
Am I fundamentally misunderstanding how Azure RBAC works, or what it's used to manage? Can anyone point out examples of Azure role definitions that include permissions like the ones above, or point to documentation of how I might set those up?
I believe you are looking for application specific permissions which can be achieved, by configuring API permissions in apps, registered in AD. Please correct me if my understanding is wrong.
So the difference between API Permissions and Role Assignments is as below:
API Permissions: 2 types.
Delegated permissions are appropriate for client apps that access a web API as the signed-in user, and whose access should be restricted to the permissions you select in the next step.
Delegated permissions are used when authentication is done under user's context and are returned in scope claim of the token.
Application permissions are for service or daemon-type applications that need to access a web API as themselves, without user interaction for sign-in or consent. Unless you've defined application roles for your web API, this option is disabled.
App permissions are used when authentication is done under application (service principal) context and are returned in roles claim. For example, if you have a web application, you can configure it to allow access to the user, if the scope claim contains read, otherwise deny access. Or grant write access to application only when roles claim contains write.
You should configure API Permissions when you would like to return the permissions in the Access token. When application consumes the token, it makes authorization decision on the basis of permissions present in the token.
Role Assignments:
RBAC is the authorization system you use to manage access to Azure resources. When using RBAC, an administrator grants permissions to roles, and not to individual users or groups. The administrator can then assign roles to different users and groups to control who has access to what content and functionality.
Role assignments are used to assign permission to users/service principals on Azure Resources. In this case authorization is done by Azure and not by the end application which happens in case of API permissions.
Please ref the below articles for detailed explanation with examples.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
we have currently the challenge to block access to our whole b2c services for several countries.
I tried to setup a conditional access rule to block specific countries, but it does not applied on normal application sign ins.
This will block my admin account to login to azure portal, but not the users to sign in to saml or openid connected applications.
What would be the correct way to implement it? In Custom Policies with Transformations?