While learning about Azure AD so I can eventually switch our applications to start using that, I noticed that any account that we have, seems to be able to login to the application... I just have a web application on my local PC, and I added it to our Azure AD applications. We have Azure AD syncing with our AD environment. The application doesn't show up on myapps.microsoft.com, which is what I want to happen. The issue is that when I try to login to the application by going to the URL, with a test account, that account is just able to login... After one login, it shows up on that account's myapps page. Why is it just allowing any account to log in? I only have partial access on our Azure portal, and can't even manually give access to applications. Is there some setting that I need to set to only allow access when it is specifically granted to the account? I've been looking around for a while and watching a few videos, but I haven't seen this covered anywhere.
In Azure AD , if you want to restrict access to particular users in the directory , you could try below ways :
Use group claims in Azure AD . In your application , check the group claims in the authenticated user’s claims collection , restrict access base on your requirement .
Set User assignment required? setting( find the setting in Enterprise applications-->Your application -->Properties) to Yes, then users must first be assigned to your application before being able to access it . You could assign default access role to uses who can access your application . Click here for how to assign role to user .
Related
Hello friends and thank you for taking the time to read my question and for all potential answers.
I am building a customer application which allows several proprietors (business owners) to log-in and manage their business. I don't want to focus on the details of the app as it is not relevant (I think) because this is more of a qualitative question.
I am using Azure AD (App Registrations) for both the Blazor WASM and API. I am comfortable creating and utilizing those. What I am trying to understand is how to not allow customers to see each other's data by using purely just Azure AD.
Example:
Customer User A from business X logs into the app. They are redirected to myapp.com/Business-X
The Roles I have right now in Azure AD are User.Read, User.ReadWrite and User.Admin
Customer User B from business Y logs into the app and is redirected to myapp.com/Business-Y
Nothing is preventing User A from changing their URL to myapp.com/Business-Y and have the same role in another business' app. I understand that I can change my Roles in Azure AD to be User.Read.X, User.ReadWrite.X, User.Admin.X, User.Read.Y, User.ReadWrite.Y, User.Admin.Y etc. but imagine if I have hundreds of customer's let's say, that is unmanageable and my blazor code will just be a mess.
Is there a better/smarter way to do this? For example I can keep the current simplified roles and add users to a database where I map them to the business they have access to but is that secure? I suspect using a database to store this does not sound right because it feels that Azure AD can do this and I just don't know how.
Thank you again!
• Yes, you can surely do restrict the users access to a particular application registered in Azure AD by ensuring these applications are also registered as ‘Enterprise Applications’ in Azure AD. Once, these applications are shown up in ‘Enterprise Applications’ in Azure AD, then you can configure them to require assignment for a particular set of users only by ensuring that the required users only have access to that application. To enable user assignment and assign users for that application in Azure AD, you should have ‘Global Administrator, Application Administrator or Cloud Administrator’ directory roles assigned to your ID.
Please find the snapshots below for more information in this regard: -
Also, once you have configured the above, you should ensure to create a custom role at the directory-level and assign it the required permissions as then this role would be assigned to all the users and these users then individually can be assigned to the required application, thus ensuring that only specific users are allowed to access the assigned app.
Please note that tenant wide admin consent is granted to apps that would require assignment. Kindly refer to the below link for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment
I've registered a single application in Azure AD for the following reasons.
Azure AD SSO (From Any Azure AD directory)
Read users, groups, and their members
Provided following permissions and granted admin consent.
NOTE: We still depend on some of the Azure AD Graph API. So, we have added the legacy API permissions.
I can able to contact the Azure AD using REST API and get the user, groups and other information.
When I try to sign in to the application from any other directory, I'm getting the following consent screen. I can able to provide the consent and proceed to log in.
But, when I try to login into the same directory, I'm not getting the consent screen even when I logged in with the Azure AD admin. Stuck in the following screen.
When I register separate applications for SSO and REST APIs, this issue doesn't occur.
I would like to know why I'm stuck in the above screen when combining both SSO and REST API permissions.
• Please check whether the correct Azure AD roles have been assigned to your account ID, i.e., Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object through the as one of these is needed for you to access the application. Also, ensure that you have assigned your account ID the correct app role assignment for the admin consent to be allowed during the SSO signup process as below: -
You can check the app role assignments for your account ID through the Enterprise application blade and searching your application there, then opening it and selecting the users and groups blade, check the app role assignment that your account ID has to that application while also, giving ‘Azure Service Management’ api permissions for user_impersonification as below, thus ensuring that you account ID will be having correct API permissions.
Once, the above settings are configured correctly, you should be able to access the application through your admin credentials.
I'v chalange to build applicatiin using asp.net core integrated with azure AD and One Drive...i can get acces one drive/office 365 with sdk..but, for setting priviledge and all configuration must be in portal azure for user Azure on AD(active directory)..it posible to setup permission and all configuration on my website application, it is possible or not...so, i can manage from my application not from azure portal again...my question is possible or not..
I was trying looking for on website microsoft, but I not found the information for my case,.....thanks advance..please share me link
Azure AD V2.0 allows an app to request permissions dynamically through the scope parameter gives developers full control over your user's experience.
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=xxxxxxe&scope=https://graph.windows.net/directory.read%20https://graph.windows.net/directory.write
The scope parameter indicates which resource and permissions the app is requesting authorization. If the permissions need admin consent , it's better to set those permissions for apps in the app registration portal if you need an admin to give consent on behalf of the entire organization. This reduces the cycles required by the organization admin to set up the application.
You can refer to this document and the code samples : https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
I'm using AngularJS Adal plugin to handle login on my page, with Azure AD.
I got everything working and it's great, one problem I have is, I would like to restrict who in Azure AD can use the login, is this possible?
Thanks,
Feeloor
To restrict the users for the apps which protected by the Azure AD, we can config the app to enable the ‘User assignment required to access app’ on the portal like figure below:
Then we can assign/remove the users who you doesn’t want to use the app at the users tab like below:
You can use Azure AD to manage access to resources such as your application. You can give specific users access or control access via groups where all members of a group are given access.
Here are some useful links to get you started
Managing access to resources with Azure AD
Using a group to manage access
iam currently researching how to implement Single Sign On for our WebService.
This is what i came up with so far.
If a customer of our WebService has an AzureActiveDirectory they can log on with their active directory user account to our WebService if we provide the nessecary interfaces for SAML, Oauth2, OpenID or whatever authorization protocoll we chose and azure supports.
The customers could also have their local network Active Directory synced to their Azure AD and use their Domain accounts to log on to our WebApplication.
Customers need to use the myapps.microsoft.com portal to "wrap" authentication.
Once everything is set up correctly the Identity Provider (AzureAD) would provide use with (e.g) an authenticated User Identity.
Here is were my problem begins.
Of course i need to somehow map the identity provided by the AzureAD to a certain Account for our WebService - we cannot simply use the provided identity.
As far as i understand it, you can grant AzureAD the right to create an Account on the target WebService in the name of the user which is currently signing in.
(Its called : enabling automatic user provisioning in the azure management portal).
However, when testing this with the Box, Canvas or Google apps i failed. Either i got an error or in the case of google apps i was just promted to login with my azure AD test account and then asked for a password and username of my google account (i set up SSO as an azure AD trust relation- so this should not happen)
Can someone provide some insights on how to accomplish the following?
Once the user is authenticated by SSO I want to create an account for our WebSerivce and then save the credentials for that user only in the Active directory of that particular user.
So if the user logs in the second time we can check wether there is an account already existing and log in the user with this account.
(I was told by microsoft that this might be possible with Azure Rights Management, but i cannot really find good documentation on that)
Storing the relationship: "Microsoft AD Identity <-> our WebServiceAccount Credentials" on our side is not desired because we cannot securly encrypt the data in a way that we DONT know whats in there. (or there is , and i dont know of it yet)
"Bonus Question":
Can i support SSO for a desktop application too? (Do i need a provide proxy web application or can the desktop app do this directly?)
Please see my answer to a similar question here: asp.net azure active directory user profile data
However - I'm trying to understand if you need something different. Are you expecting your customers to already have a directory and Azure AD accounts (maybe through having Office 365 subscriptions), and use those to sign in to your web app, or does your app scenario require creation/provisioning of user accounts into your customer's Azure AD directory? Provisioning can be done through graph API (as per your link), as long as the admin of your customer grants consent to allow your app to write to their directory. You can find some samples on github, and I recommend you look through https://msdn.microsoft.com/en-us/library/azure/dn499820.aspx and https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx for code samples.
HTHs,
I think, without testing it. That using the Graph API enables me to save custom data for any Directory User effectively enabling my desired functionality.
This is the documentation i found very usefull.
https://msdn.microsoft.com/en-us/library/hh974476.aspx