I've a silly doubt related to Azure AD authentication and Office 365 provider hosted app/add-in authentication.As mainly there are two authentication ways for Azure AD resource access
Authorization Grant flow ( user based /delegated permission )
Client Credential flow (app-only /admin consent)
Which of above is used by provider hosted add-in for Authorization/Authentication?
If none of the above,then what kind of flow it uses to authorize/authenticate users against Azure AD?
Under the permission section of provider hosted add-in ,there is a check box for app only.Is it same as Client Credential flow app-only or related to Azure AD app-only grant flow by any other way?
Related
I am getting this error when configuring an asp.net core app to use Azure AD B2C authentication with Microsoft Account as external identity provider.
AADSTS70000121: The passed grant is from a personal Microsoft account and is required to be sent to the /consumers or /common endpoint.
As per my findings on SO and Microsoft documentation on the same, it points to use following as authority
in appsettings.json:
"Authority": "https://login.microsoftonline.com/common",
The common endpoint is suggested by Azure AD b2c
documentation when you use Microsof Account as an identity provider.
While registering an application in Azure AD b2c tenant, I use following as Supported account types:
Accounts in any identity provider or organizational directory (for authenticating users with user flows)
So seems all is configured properly but still error suggest that I am not using common endpoint which in fact I am using it.
Links I followed:
How to acces AzureRM with a AzureAD Multi-Tenant App using personal Microsoft account?
Error getting SAML Metadata for Azure AD B2C Policy - AADB2C90022
My Azure web application will have both internal and external users. The requirements regarding authentication are:
Internal users authenticate with their domain accounts (with SSO)
External users authenticate through Azure AD B2C (we need to create accounts for them)
How can I set up such scenario?
Regards
George
If your internal users are using Azure AD - simple - you add your corporate AAD as Identity provider to your B2C.
There are various ways to do this. So start here.
If your internal users do not have Microsoft 365 (Azure AD), and you only have on-premises AD DS infrastructure - ... move to Cloud, things will be so much easier. If not, you need at least ADFS, then you can hook up ADFS as Identity Provider in your B2C.
There is no way to make Windows Integrated Authentication and Claims Based authentication at the same time for the app.
I must preface by stating that I am not an expert in Microsoft AD, Azure AD, and Office 365. I've read scores of Microsoft documentation, support and Stackoverflow posts and have not been able to find an answer to this specific question.
I have a web application that has an option for users "Sign in with Office365". This was implemented using Microsoft's ADAL library and the OAuth 2.0 authorization flow.
I have a customer who uses ADFS and Azure Active Directory together (Federated Identity in this document). They are federating their user's sign-ins with AD FS which delegates authentication to an on-premise server that validates user credentials which in turn allows their users to access Office365 and other cloud services.
Their on-premise AD syncs with Azure AD and does not sync passwords.
My question is two fold:
1) Will the standard implementation of OAuth 2.0 authorization flow work support this setup? Will Azure AD know to go to ADFS to do the authentication?
2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization flow as an IDP proxy to ADFS?
1) Will the standard implementation of OAuth 2.0 authorization flow
work support this setup? Will Azure AD know to go to ADFS to do the
authentication?
Yes this works very well, as long as you have setup the federation with a verified custom domain using Azure AD Connect (Federated Identity in this document). I have live examples of it with a web application that uses OAuth 2.0 Authorization flow (without requiring anything special from web application code/configuration standpoint).
Flow is that you go to the Microsoft login page first > on selecting the work/school account and specifying user name > you get the ADFS login page > after entering credentials here, it continues just like a normal Azure AD account would.
2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization
flow as an IDP proxy to ADFS?
In a way yes. Although it's not a regular Federation trust setup with certificates being exchanged, as you have to use AzureAD connect instead, like you mentioned in the link above (Federated Identity in this document).
Is there a back-end API available to programatically authenticate the external user against the Azure AD B2C instance by passing in the user credentials from within a MVC web application (without showing the login page) as we do from a Native Client like console application?
Authentication through a back-api that accepts user credentials is achieved through the OAuth Resource Owner Password Grant.
Azure AD B2C does not support the "Resource Owner Password Grant" yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.
I am trying to create a multi-tenant application in Azure AD, which can login all users like Microsoft live/hotmail and also get the access permissions to access their management resource apis. I can get work accounts from other domain login but not live account. I get this error-
User account 'mitesh_***#live.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '382dfccb-33af-4567-90cd********' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have heard of MSAL v2 endpoint to login both type of accounts, but I heard that this endpoint doesnt support permissions to access Resource management libraries yet.
Is there any way to achieve this with ADAL or any other way?
Thanks,
Mitesh
The azure ad v2.0 endpoint supports both personal Microsoft accounts and work accounts from Azure Active Directory . But the v2.0 endpoint issues access tokens only for:
-The app that requested the token. An app can acquire an access token for itself, if the logical app is composed of several different components or tiers.
-The Outlook Mail, Calendar, and Contacts REST APIs, all of which are located at https://outlook.office.com.
-Microsoft Graph APIs. You can learn more about Microsoft Graph and the data that is available to you.
v2.0 endpoint doesn't support management apis .And azure ad v1.0 endpoint it supports work accounts unless Microsoft accounts are added as an external user in the tenant first . In my opinion , currently there is no other ways or workaround to achieve your requirement .