How to make Azure Native Client Application available to multiple tenants ionic? - azure

I have a IONIC mobile application which using Azure Native App to authenticate Azure and Skype O365 Login.
For my tenant, app works just fine. Now I want my app to be work for multi tenant. How can I make my native app work for multiple tenant.
For Azure login I am using following cordova plugin.
https://github.com/AzureAD/azure-activedirectory-library-for-cordova

If you were using the common for the authority instead of specific tenant there is no need additional operations to work for the multi-tenant since the native app register on Azure portal support multi-tenant by default.
You can refer the document below:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern

Related

Azure Active directory app registration vs enterprise application

I'm really struggling with these Azure AD concepts.
Here is my situation. I have a webapp with users belonging to Companies. I have a requirement that is to be able to authenticate those users through their Companies' Azure AD. Eventually, We would want to offer this in the Azure app gallery in the future.
I started registering the app through App Registration, which gives me the information to integrate using OIDC. We would like to support both, OIDC and SAML protocols (I see that there are apps in the gallery offering both).
I tested OIDC out and it's working correctly, but when I want to develop SAML integration, the documentation says that it has to be done using an enterprise application. I can't edit the SSO section of the enterprise app generated by my registration:
The single sign-on configuration is not available for this application in the Enterprise applications experience. MY APP was created using the App registrations experience.
so I tested creating a new enterprise app. Using this app I can do all the SAML flow correctly.
My questions here are:
Do I have to connect the registrated app with the enterprise app? How I do that?
Why I can't edit the SSO info in the enterprise generated app?
If it's done through the registration app. Where do I set up the SAML endpoints, certificates etc.?
By reading the docs, I understand that enterprise apps are like "an instance of a registered app". That leads me to think that I should configure all in the registered app, but I can't see how to support SAML.
As mentioned by #Srinath Menon in the above answer, If the application was registered using App registrations then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the Single sign-on option won't show, For enterprise applications we have an option.
In both the ways applications are get registered in AAD, and there are two types of objects get created once the app registration is done.
The Application Object is what you see under App Registrations in AAD. The application object describes three aspects of an application: how the service can issue tokens to access the application, resources that the application might need to access, and the actions that the application can take.
. App Registration are basically the apps local to the tenant/organization.
The Service Principal Object is what you see under the Enterprise Registration blade in AAD. Every Application Object would create a corresponding Service Principal Object in the Enterprise Registration blade of AAD. A service principal is created in each tenant where the application is used and references the globally unique app object.
Enterprise apps blade shows global apps (other tenants) which can be configured and used within your tenant/organization.
Reference
Set up SAML-based single sign-on for an application
No, there is no specific reason to connect the 2 apps.
The reason for this is by default "App Registration" is wired for OIDC Auth. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on
This need to be done from the Enterprise apps for any SAML related functionality.

Create AzureAD app registration when web app is deployed

I understand the concept of AzureAD App Registrations and I'm using it in several projects. Now I need to generate a Web App that should be deployable as a component in any AAD. This Web App should use Azure APIs to discover components in the subscription it is deployed to which I don't know at develop time.
What is the preferred way to accomplish the app registration fully automated at deploy time? I need to register an app in AAD and then to store the informations (App Id, Tenant ID, ...) in my web.config somehow.
The problem is that you can't develop an app that has access to the Azure AD without it being registered first.
The Azure Portal and Powershell have access. Maybe you can use Powershell to script the permission grant in your scenario?
Otherwise, (I did this a while back for a solution) you can create a multi-tenant web app, that your customers' Azure AD tenant administrators can sign in to. With the tenant administrators granting access, the web app can then access their Azure AD graph API and create the required application definition for your application.
In my scenario the Azure AD client application ran on-premise. It required access to the Azure AD graph API and also needed certificate based authentication towards the Outlook 365 Exchange Web Service. So the web app could create the certificate, grant access to the required APIs, and let the user download the certificate, application ID etc. The on-prem app could then use the downloaded file as its configuration for accessing the Azure AD and other APIs.

Azure AD authentication without app registration

I want to access Azure Directories and Subscriptions using my web app hosted on my server but i do not want to register my app in active directory because
i do not have permissions to register my app in active directory
I want to authenticate users from out of my active directory too.
for example following sites let you authenticate any Azure AD user.
https://resources.azure.com/
https://azureiotsuite.com
Please help me to where to start. i have tried Azure AD authentication but it asks you to register your app in Azure AD Apps.
One option is to register your app at https://apps.dev.microsoft.com. (And use the v2 endpoints)
Documentation here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview
What you want to make is known as a multi-tenant application. An application to which you can login from any Azure AD tenant.
The first link leads you to create a converged app which allows you to use Microsoft accounts as well as Azure AD accounts to sign in.
If you only want Azure AD accounts, you could just create an Azure AD and register the app there as a multi-tenant app. (And use the v1 endpoints)

Authentication WebAPI service that will use Azure AD and Azure B2B

This isn't a specific problem question but a "cry for help".
My problem is this. Our organization is in the process of implementing Office365.
Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.
We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.
I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...
My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1
But create Provider for AzureAD. But then its still question about this B2B AD part.
Please help by pointing to some up to date resources..
You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.
Then you can administrate everything you want (e. g. which user has access to which application) within the Azure Active Directory blade from the Azure Portal.
You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.

Azure mobile services - multiple azure active directories

We want to develop a mobile application which will be used by users in multiple organizations. Each of these organizations will have an Azure Active Directory tenant owned by them. We want to use Azure Mobile Services for authenticating users.
Once the user is authenticated and the mobile app has the JWT token, it will be subsequently sent to our API gateway to access various services.
Is is possible to use Azure mobile service Identity component in such a way that the app can authenticate against multiple Active Directory tenants? In other words can we create a multi-tenant mobile app which can authenticate against multiple Azure Active Directory tenants owned by different organizations?
Azure Active Directory does support development of multi-tenant web apps and there are sample applications available which demonstrates this capability. However is it possible to achieve the same functionality in a mobile app using Azure mobile services?
It is very much possible to build multi-tenant mobile apps backed by Azure Active Directory authentication. However, I doubt if Mobile Service will help here. Rather, I'll recommend creating a WebAPI project with AD authentication and consume those APIs in mobile apps. The samples that you've mentioned can be very much useful.

Resources