When I create an application through Azure AD admin portal, when I go into "application registrations", I can manage authorizations for several APIs (Graph, SharePoint Online, Skype for Business Online, Power BI, OneNote...)
However, when I create an application using the Microsoft Application Registration Portal, it seems only possible to add Graph API authorizations (User.Read, etc.)
Is it possible to use Microsoft Application Registration Portal to manage application access for other APIs than Graph ?
The App Reg Portal is the portal for registering Azure AD v2.0 apps (combines Microsoft Accounts + Azure AD Accounts behind 1 endpoint). Right now, v2 does not support getting access tokens for web APIs other than graph.
The feature set on v2.0 will continue to expand and in parallel the portal expose these supported features (including other APIs other than graph).
Related
I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.
I have developed a domain-based modeling tool and code-generator that provides the ability to capture domain models per DDD and automatically generates ASP.Net Web API microservices.
I also created an Azure B2C CLI tool that uses MS Graph API to programmatically generate an Azure B2C AD Application for each Web ASP.NET Web API of which includes all possible scopes that are applied to protect some of the generated Web API operations.
As some of these generated API services often interact with other generated services via REST and/or gRPC, the Azure B2C CLI tool also adds the list of dependent API permissions that would be required by each Web API in order to integrate with the other Web API.
My Azure B2C CLI tool works great and is creating/updating the underlying Azure B2C Web/API application per each domain service within the Home Tenant along with the necessary Service Principal.
Currently I still need to log into the Azure Portal in order to grant the API permissions per each B2C Application.
My Question is : Is it possible to automate the granting of the API Permissions using the B2C Application that I am using to create these same B2C Web/API applications ?
It seems like this should be possible as the Azure B2C CLI tool's B2C Application is the owner of these created Apps.
To help illustrate and support my question I have included some screen shots below.
To begin, the following image shows the permission set that my Azure B2C CLI tool runs under in order to create the other B2C applications for each Web API via MS Graph API.
On each pass, the Azure B2C CLI tool processes a particular domain model to understand the definition for each domain service within that model and will automatically create a series of B2C applications within Azure B2C per each service in a particular domain model.
The following domain model has 4 domain services which results with 4 B2C Apps being generated by my Azure B2C CLI tool as illustrated below ..
The Azure B2C CLI tool creates as many permission scope items per API operation and adds that to the underlying API OAuthPermissionScopes. Here is a few examples of generated permission scopes services for "WorkSpace" and "SharedServices" Web API's...
The Azure B2C CLI also adds any API permissions to each generated B2C API Application. The following example shows that "CoreServices" API requires permissions from both the "SharedServices" App API and the "WorkSpace" App API
Once that is completed I can log into the Azure Portal and Grant these permissions, manually, per each API.
Instead of granting these manually I would like to programmatically grant these permissions via MS Graph within the Azure B2C CLI tool I've created.
The code-generator domain modeling tool will be producing 100's upon 100's of services so I want to automate securing the generated domain services as much as possible, including granting of API permissions.
What is the MS Graph API to allow me to fully automate this process within my Azure B2C CLI tool?
Microsoft Graph doesn't support the "grant admin consent" feature currently.
AAD Graph has an endpoint https://graph.windows.net/myorganization/consentToApp?api-version=2.0 which is used to grant admin consent but it is only available within Microsoft. Calling this endpoint from outside will get this error.
You could consider using Azure CLI cmd az ad app permission grant or az ad app permission admin-consent --id $appid. See reference here.
There is a difference between the 2 cmds. You can find more details from my previous answer.
Can someone describe to me the differences in registering Enterprise Applications via
Application Registration Portal (https://apps.dev.microsoft.com)
Azure Portal (https://portal.azure.com, Home -> Azure Active Directory -> Enterprise Applications)
Azure AAD Portal (https://aad.portal.azure.com)
Perhaps there are even others that you may know of.
The application registered in the Application Registration Portal is the v2.0 application, which supports both Azure AD & Microsoft Accounts. Works with MSAL & most 3rd party oAuth/OIDC libraries. Can call the Microsoft Graph, and your own web API with ID tokens. If you register an application using personal Microsoft account, the application won't be visible in Azure Active Directory. For more details, you can refer to here.
While the application registered in the Azure Portal is the v1.0 application, which only supports sign in with Azure AD accounts. Can call the Microsoft Graph, other Microsoft resources, your own web API. For more details, take a look at the doc.
There's a doc describe the difference between the two endpoints.
As far as I know, the application registration is almost the same in the Azure Portal and Azure AAD Portal.
This is a licensing related question for Azure Active Directory.
We would like to use Azure AD as a SAML identity provider for our own applications, using the available method in the Azure AD Premium subscription, i.e. by creating a new custom application in the 'enterprise applications' list. Now do I need to assign a Premium license to every user that is going to login to this application via SAML? Or does it suffice to assign this license to the users that are administering the application?
The former case seems more plausible to me, however it would be way too expensive for us, and during testing the custom applications seems to work also for users which do not have the license.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
I am not a licesing expert, that said, Azure AD licenses are per user. Read the doc above. If the app is pre-integrated in the gallery, Azure AD users with the free tier can connect to 10 apps at no cost. If the app is on-premises, that requires Azure Application Proxy which would require Azure AD Basic.
If it's a custom application not in the gallery AD Premium is required. Keep in mind AD premium has a ton more functionality. Conditional Access is a Game Changer. Very powerful. Multifactor Authentication, self service password reset, MIM, SCCM CALs, are all included.
Being able to simplify identity for users and link All applications they use to their AD account is important. Ems gives you the ability to monitor identity with Advanced Threat Analytics etc. It's actually a very useful suite of services and not drastically different in price than stand alone AD premium.
There is an interesting point on license page too
Blockquote
With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps can get SSO access to up to 10 apps. Admins can configure SSO and change user access to different SaaS apps, but SSO access is only allowed for 10 apps per user at a time. All Office 365 apps are counted as one app.
Im trying to start working with the v2.0 endpoint, I registered my web app in the new Application registration portal, but I cannot find it anywhere in my Azure AD. Should I not be able to see it there?
I tried creating an app both with my work azure account, and with an account I created specifically in the tenant. Neither works. Am I missing something?a
You could find it Azure Active Directory-->Enterprise applications-->All applications.
But you only could see Azure AD only applications. Currently, Converged applications could not see on Azure Portal, please refer to this feedback.
Update from comment:
The blade enterprise applications represents service principals in the AAD tenant, not applications. Once you sign into the app & consent or manually provision a service principal, you'll see it in this list.