I have a web app that is using an Azure AD to hold user accounts and allow authentication. The app has some internal users that are able to authenticate, but I also want to allow external users into the app (customers external to the company).
I am able to do this, but only by creating users that have "#mydomain.onmicrosoft.com" in the username. That is fine I guess.. but can I at configure the sign-on page somehow to not require the username to type this in??
Ex: if a username is "joe.bob#mydomain.onmicrosoft.com" I want them to be able to login with a username of "joe.bob" and that's it!
Full disclosure there is another question like this: Logging into Azure Active Directory without a Domain Name and I've posted a comment asking if anything has change since the question was active (2014). So if this is a duplicate question, then so be it, but I am wanting to know if there are any new developments (pun intended) regarding this.
Based on the description, you want to collaborate to work with external users. However you were create a account in the tenant directly. There are some difference between the Azure AD user and external user, more detail refer this link.
And AFAIK, Azure Active Directory still doesn't support to login with the username without domain name at present.
However the Azure AD B2C also provides the feature to work with external users and it allows Local Accounts login-in with (email address and password, or username and password).(refer here). You may consider to use Azure AD B2C if you want to login without the domain name.
And below link also helpful about to learn the difference between B2B collaboration and B2C:
Compare B2B collaboration and B2C in Azure Active Directory
In-addition, if you have any idea or feedback about Azure AD, you can submit them from here.
Related
We want to use Azure AD as the Identity Provider for users in a web application. At the moment, we have everything set up using MSAL.js 2.0 with the Auth Code Flow, a custom scope, and access token which is used to authenticate requests towards our various backend services.
The issue is that our users want to be able to login with their own custom email addresses, instead of their login ids generated by AD and with the #onmicrosoft.com domain. For example, user1#some-orginization.com or user2#some-other-organization.
It would still be okay to accept the login ids as usernames as well, but surely there must be a way to allow users to use another property of the profile (their alternate email for example) to log in.
Our application is registered to AD such that it will allow only logins from one tenant, since we don't want to require users to already have existing Microsoft Accounts.
We're avoiding B2C because some users would face issues with their company policies, which would mean they could be invited as users, but would be rejected at login. Also, B2C does not really support Roles like B2B does, which is somewhat important for us.
Any guidance will be greatly appreciated.
EDIT:
After countless hours of attempting to make this work, I decided that it just isn't worth the effort, and switched to Auth0. They provide everything I could possibly want, and seemingly even better Azure AD integration to other tenants then Azure AD itself.
I think what you want to express is that you want to log in to your application with any email (including personal accounts and social accounts).
If so, then you need to modify the application's manifest configuration and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
I needed to have Custom OU (long story, but to integrating a legacy app with Azure AD that uses LDAP to look for users in specific OU's).
So I added the Custom OU using Active Directory remote administrative Tools following the advice here Microsft document
I have added the custom OU's added users into them, so far so good.
Only issue is I can't login with any users added through the VM. When I try to login to Azure I get this error (This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.)
Any Ideas why this is the case, is this by design?
or maybe I am not entering something that is required. (Although the domain and all the details match the user is added to domain users group)
when you add custom OUs in azure ad Domain services ( AAD DS ) there are limitations to objects added to those custom OUs, such as.. exactly what you mentioned. those users are not available in azure ad. Only to the AAD DS connected devices. it's like a local domain user.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/create-ou#custom-ou-considerations-and-limitations
User accounts, groups, service accounts, and computer objects that you
create under custom OUs aren't available in your Azure AD tenant.
These objects don't show up using the Microsoft Graph API or in the
Azure AD UI; they're only available in your managed domain.
I am currently working on a B2C setup for my company.
In our Azure AD account, I have an email, say myemail#mycompany.com, which has a password.
I also have a Microsoft Live account using the same email, myemail#mycompany.com, which has a different password.
I have created a B2C setup using the following documentations.
https: //learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-msa-app
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-setup-msa-app/
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-app-registration/
After doing the B2C set up, I am able to obtain a link, below is an example.
https ://login.microsoftonline.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signin1&client_Id=&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=form_post&scope=openid&response_type=id_token&prompt=login
In my Azure setup, I already have both emails (Azure AD and Microsoft Live) added to my list of users.
My problem is, when I use the link generated from my B2C setup, it only seems to allow me to sign in using the Microsoft Live account (which has a different password from my Azure AD account).
Is there a way, or a configuration, which will allow my B2C setup to invoke the sign in page to choose either my Personal (Microsoft Live account) or work or school (Azure AD) account?
At the moment, B2C does not properly support work accounts from AAD (ironic, eh?). You're correct in that personal accounts from MSA work just fine.
In B2C, you can add "local accounts" as an IDP, which will allow users listed in your tenant to sign into the app. I can't actually recall if that local account option allows you to sign in with a work account in your B2C tenant. You could give it a try if that's what you need. Most people however need proper support for AAD tenants, where work accounts are a dedicated option on the "IDP selection" screen. B2C doesn't have that today.
I do have a scratched together sample .NET app on my GitHub that shows how you can add support for work accounts and B2C in the same app. It's not pretty, but it works.
As for the same email/different password problem. Even adding the above support won't help. We don't expect that users will really be able to decipher a "work Microsoft account" button from a "personal Microsoft account" button. So, we are doing work to eliminate these situations, by limiting the number of users who get into such a situation and by providing an account linking option for those that are.
We do plan to support AAD work accounts in the near future. Sometimes your own family members are the hardest to work with.
If you feel so inclined, you can add your feature requests to https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c
I am currently developing a WebApi 2 service which is hosted in Azure. I now need to add Authentication and ideally Authorization to this service. I was expecting to be able to do this with Azure Active Directory but have a number of questions
Will my users have to login via the standard Azure sign in portal?
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Will I programatically be able to modify a users details such as forgotton password etc
Sorry for the general question, but I am stuck trying to find out if I am looking at the right technology to be able to meet these requirements. If not, would really appreciate any suggestions on what to use instead.
Will my users have to login via the standard Azure sign in portal?
Yes, but the branding of the portal can be changed in the basic and premium editions of Azure AD.
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
No, you can register your own domain and associate it with a directory. Or you can sync on-premise accounts to an Azure AD directory and use those email addresses.
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Yes, using the Graph API you can create and manage users. You can also assign them roles or make them part of a security group.
Will I programatically be able to modify a users details such as forgotton password etc
Yes, using the Graph API.
iam currently researching how to implement Single Sign On for our WebService.
This is what i came up with so far.
If a customer of our WebService has an AzureActiveDirectory they can log on with their active directory user account to our WebService if we provide the nessecary interfaces for SAML, Oauth2, OpenID or whatever authorization protocoll we chose and azure supports.
The customers could also have their local network Active Directory synced to their Azure AD and use their Domain accounts to log on to our WebApplication.
Customers need to use the myapps.microsoft.com portal to "wrap" authentication.
Once everything is set up correctly the Identity Provider (AzureAD) would provide use with (e.g) an authenticated User Identity.
Here is were my problem begins.
Of course i need to somehow map the identity provided by the AzureAD to a certain Account for our WebService - we cannot simply use the provided identity.
As far as i understand it, you can grant AzureAD the right to create an Account on the target WebService in the name of the user which is currently signing in.
(Its called : enabling automatic user provisioning in the azure management portal).
However, when testing this with the Box, Canvas or Google apps i failed. Either i got an error or in the case of google apps i was just promted to login with my azure AD test account and then asked for a password and username of my google account (i set up SSO as an azure AD trust relation- so this should not happen)
Can someone provide some insights on how to accomplish the following?
Once the user is authenticated by SSO I want to create an account for our WebSerivce and then save the credentials for that user only in the Active directory of that particular user.
So if the user logs in the second time we can check wether there is an account already existing and log in the user with this account.
(I was told by microsoft that this might be possible with Azure Rights Management, but i cannot really find good documentation on that)
Storing the relationship: "Microsoft AD Identity <-> our WebServiceAccount Credentials" on our side is not desired because we cannot securly encrypt the data in a way that we DONT know whats in there. (or there is , and i dont know of it yet)
"Bonus Question":
Can i support SSO for a desktop application too? (Do i need a provide proxy web application or can the desktop app do this directly?)
Please see my answer to a similar question here: asp.net azure active directory user profile data
However - I'm trying to understand if you need something different. Are you expecting your customers to already have a directory and Azure AD accounts (maybe through having Office 365 subscriptions), and use those to sign in to your web app, or does your app scenario require creation/provisioning of user accounts into your customer's Azure AD directory? Provisioning can be done through graph API (as per your link), as long as the admin of your customer grants consent to allow your app to write to their directory. You can find some samples on github, and I recommend you look through https://msdn.microsoft.com/en-us/library/azure/dn499820.aspx and https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx for code samples.
HTHs,
I think, without testing it. That using the Graph API enables me to save custom data for any Directory User effectively enabling my desired functionality.
This is the documentation i found very usefull.
https://msdn.microsoft.com/en-us/library/hh974476.aspx