Azure AD B2C Authentication Firewall Issues - azure-ad-b2c

I have implemented a website that uses Azure AD B2C as its authentication mechanism.
Everything works great except I recently ran into a firewall issue with one of my clients. When the client redirects to either *.onmicrosoft.com and/or login.microsoftonline.com my client's corporate firewall blocks the routes. And to further complicate my situation my client's corporate firewall restrictions can not be changed.
Is there any work around that anyone can suggest such using a headless login workflow that is orchestrated within the web server that hosts my website or possibly using custom domains that my client trusts such as login.mycompany.com?

Both of the approaches have outlined would be the ideal ways to deal with this restriction, unfortunately neither are currently available in Azure AD B2C.
Both of them are listed in the Azure AD B2C feedback forum for you to support and keep track of their progress:
Customer-owned domains
Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
I can't think of any other approach, which is a good thing otherwise, it would mean someone could easily spoof Azure AD B2C.
Ultimately, the right thing to do is to work with your client to ensure these and all the endpoints your applications needs, are allowed through the firewall.

Saca is correct, the customer owned domains feature could be used to change the domain name when it becomes available. Work has started, but it's still going to be some time before it's publicly available.
Regarding your client's firewall restriction that blocks login.microsoftonline.com. If it helps, there are some things that your client should be aware of. Blocking this domain doesn't just prevent application / Azure AD B2C scenarios, it blocks all Azure Active Directory sign-ins used for Microsoft Office 365 and Microsoft Azure. This means that if some other organization were to share Microsoft resources with one of the employees of your client's organization, they would be unable to access them.

Related

Restrict Frontdoor url only for office network or setup basic auth on storage blob service

This is our setup so far.
1)On production, we are hosting static web pages through Azure storage account, we have configured it on Frontdoor with a custom DNS.
We have a requirement such that few of the static web page urls should ask for basic authentication on the browser.
We have configured this on Frontdoor rulesetup based on url pattern.
So far, this works fine.
2)Now, the main issue is with replicating the same setup for UAT purpose. Since its UAT, we cannot expose it globally. It should be accessible to only the people connected to office network, either directly or through vpn.
If we configure it in Frontdoor, we have the risk of exposure.
If we do not configure it in Frontdoor, we can't have basic auth setup feature which we setup through Frontdoor Ruleset.
We have explored WAF(security) policy on Frontdoor, but we do not have a specific range of IP addresses that can be configured in WAF custom ruleset.
• To block the frontdoor URL for office network without blocking the basic authentication setup feature for a few web pages on the static website URL, you should configure the conditional access policy for this purpose.
To configure the conditional access policy for all the Azure AD users connecting in your office network, you will have to ensure that you have Azure AD Premium P2 licenses available and the devices through which users are connecting to the office network are joined/registered with Azure AD.
Please refer to the below snapshots explaining the configuration of Azure AD conditional access policy for this purpose: -
Thus, in the above way, you can block the front door URL from being accessed by people in the office network. You can configure the named locations also in this policy accordingly to block the access from these locations based on trusted IP ranges, added layer of authentication and country based locations too as shown above.
For more information, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location

Provide App service security in Azure solutions

I have a click once windows application which already has authentication n Authorization built in. Earlier i used to deploy it on physical server n share the location with users so that they can install it n use it. But now we have decided to deploy it on azure PAAS service (App service ). But currently url is geting access by anyone which i want to restrict. Currently my organization AD is not synced with Azure AD. So not able to use Azure AD for authentication.
Kindly provide some better solutions other than restricting users based on IP.
If it's a file download you can put it on Azure Blob storage for download and generate short-time SAS tokens.
While IP address restrictions and Azure AD authentication would be one-efficient approach for your scenario. Since you do not want to go that route (due to environment limitations), If you wish you could authenticate users with the specified provider (Microsoft Account, Facebook, Google, Twitter or Any OpenID Connect provider). App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code.
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. You can also use multiple sign-in providers.
So the simple process could be:
The option is Log in with . App Service redirects all anonymous requests to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized.
Kindly checkout step-step instructions on the process/workflow:
Configure your App Service or Azure Functions app to use Microsoft Account login
If your WebApp is on VNet, you can have service endpoints enabled for Microsoft.Web, through access restrictions.
See- Advanced usage of authentication and authorization in Azure App Service

Azure AD B2C: Policy IP Addresses to Allow Access to Custom Policy HTML Templates

We are using Azure AD B2C (still in preview) to authenticate customers to our application.
We are going to use custom html templates for our sign-in experience and sign-up (gives us more power over format and links outside of MS content).
Since our development environment is on a restricted network, the Systems Engineers would like to restrict access to those resources to a range or set of IP Addresses.
We could just monitor traffic while we test, and then add those IPs we see, but it would be nice if there were a list somewhere (I've looked, but I can't find anything).
At the very least and regardless, we will end up restricting access from outside the network to just those specific files.
Does Microsoft provide that range of IP addresses that will be requesting the content?
As it turns out, I was misunderstanding how the templates work. Microsoft uses JavaScript to download the custom template, so it's actually the users browser that retrieves the content and not Azure servers. This is why you need to enable CORS in your application.
The solution is to simply allow access to login.onmicrosoft.com from the DEV and TEST environments so that users can be redirected to the sign-in and sign-up pages/policies. Access to your environments does not need to be given to any Microsoft servers.
For those interested in seeing the ranges anyways, I found the following file by searching for "ip addresses used by azure": https://www.microsoft.com/en-us/download/details.aspx?id=41653

Making azure hosted website part of company intranet (singe sign on)

We are considering deploying some of our intranet web applications to Azure. The web applications are built using ASP.NET MVC. Source code is available, it is fully under our control. All our company machines are Windows 7 or up, part of a windows domain, sitting behind proxy a server. Users are registered in AD. What authentication technology would you recommend for a secure and convenient login experience? We prefer to save the employees from creating, remembering, typing in yet another username/pwd. Single-Sign-On is wonderful for the users. Can we achieve something similar? Up to what extent do we have to compromise on the convenience?
Reasons to move to Azure: Azure does not have the bureaucratic deployment obstacles that our intranet has. Furthermore, deploying webapps to Azure is just soooo easy and wonderful.
Azure Active Directory extends on-premises AD into the cloud, enabling users to use their organizational account to not only sign in to their domain-joined devices and company resources, but also all of the web and SaaS applications
(office 365) needed for their job.
Federated Single Sign-On for applications that support SAML 2.0, WS-Federation, openID connect.
Password based for apps with a html sign on page and Existing SSO using ADFS.

Azure - Allow Site Access Without Microsoft Account

I have a website that is set up and running fine on Azure. However I can only seem to access it if I log in to my own Microsoft account. Is there any way to just allow all http traffic without requiring authentication?
Your site should be public accessible as long as you do not have any authentication setup.
e.g if your site is http://foo.azurewebsites.net, everyone should be able to visit your site.
if your question is to allow other people who do not have azure subscription to manage your site. you can assign Role permission to them see Azure Role-based Access Control for details

Resources