I'm using AngularJS Adal plugin to handle login on my page, with Azure AD.
I got everything working and it's great, one problem I have is, I would like to restrict who in Azure AD can use the login, is this possible?
Thanks,
Feeloor
To restrict the users for the apps which protected by the Azure AD, we can config the app to enable the ‘User assignment required to access app’ on the portal like figure below:
Then we can assign/remove the users who you doesn’t want to use the app at the users tab like below:
You can use Azure AD to manage access to resources such as your application. You can give specific users access or control access via groups where all members of a group are given access.
Here are some useful links to get you started
Managing access to resources with Azure AD
Using a group to manage access
Related
I have created a custom MS Teams Message extension app in Teams and successfully published that in Azure, but i have noticed that Azure web app bot where i have added Teams as a Channel, i can access the app out side the organization also.
So is there a way i can restrict it to my AD users and in AD also i need to provide access with specific AD groups.
If I copy the URL and try to open with user not in AD still i can access it.
In this case, you can implement the authentication for you bot/Messaging Extension and make sure your bot/ME is configured for single tenant only.you can not restrict uses to access it for AD Groups
I'm exploring options I have when it comes to implementing user authentication and authorization in Angular app with ASP.NET Core 3.1 backend that will be deployed to Azure AppService.
Only selected, invited users will be allowed to use application. There will be no "Create account" page accessible to everyone. There is a possibility that subset of those users will be our company users so leveraging their Active Directory identity and allowing SSO would be great. Application will be multi-tenant. Multi factor authentication might be needed for selected tenants/users (based on role for example). We don't want to allow logging in with 3rd party Identity Providers like FB, Google and so on.
Based on my explorations on I have 2 (4?) options.
ASP.NET Core Identity - simple, builtin, well known. But probably won't allow me to to implement SSO and users will need another login/pass. I'm not sure if it supports inviting users (out of the box) or is this something I would need to implement myself. Same with password resets. It allows me to add custom properties to stored user entity (TenantId) to allow me to implement multitenancy, but I need to deploy SQL Server database and manage it myself.
Azure AD (B2B, B2C) - this is new to me. How I understand it is that with Azure AD Connect I could synchronize users between AD and Azure AD and this would allow me to implement SSO for our company users. Only selected OU's could be synchronized and based on groups in AD they could be assigned different roles in our app. Then assigning roles is responsibility of people which are already managing those users in AD. If person is released and their account is removed/locked in AD they lose access to our app. If they're removed from specific group they lose access to our app. And probably all our company users are already in Azure AD - I see myself and my colleagues in it when I use my work e-mail to login to Azure portal. When it comes to supporting users which are not in our AD I tested that I can add "Guest users". At first I thought this is something I would need Azure AD B2C for but looks like it's not the case. Then what is Azure B2B and B2C for? In this case I don't need to manage SQL database and have user managment for free. Both on AD and Azure Portal site. I don't know if I can add custom properties to users (TenantId).
Which one of those options is better? Maybe there are other options?
Azure AD B2B is indeed the way to go for your requirements.
B2C is required when you would like to open up your application to external users while allowing them to login using social providers.
You can read more about the differences between Azure AD B2B and B2C.
I have set up a Azure Active Directory App so that I can access the Microsoft Graph API with MSAL. However, I want to perform API calls without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service) and as such I have added a few permissions that require "Admin consent" to my app. However, I cannot find a way to grant my app these permissions.
I've tried looking around the Azure portal for a way to grant these permissions but without success. I have also tried using the https://login.microsoftonline.com/{tenant}/adminconsent&... link to grant permissions, but unsucessfully so.
The response I received was
AADSTS500201: We are unable to issue tokens from this API version for
a Microsoft account. Please contact the application vendor as they
need to use version 2.0 of the protocol to support this.
I do not have an Azure subscription (not even the free one), but seeing as I was able to add apps to Azure AD as well as get access tokens and then make API calls on behalf of the authorized users I assumed I might not need a subscription.
I just made another app and now I have the grant consent button when I open the API Permissions view.
We are working on WEB APIs and want to integrate Azure AD for AuthN and AuthZ. We have successfully integrated the same. We have created enterprise applications, custom roles, assigned users for the same.
Now we need to allow access to APIs with AWS like keys (Secret / Access keys). Individual user can generate their own keys and store those in Azure AD so that when those keys are used, user can be authenticated.
I didn't find any way to achieve this using Azure AD. Any suggestions around same are welcome.
Meanwhile I have gone through custom store for keys. Please refer link : https://www.codeproject.com/Articles/1228892/Securing-ASP-NET-CORE-Web-API-using-Custom-API-Key
Thanks in advance.
Azure AD authentication uses tokens.
So any app wishing to call your API must authenticate with AAD and acquire a token for the API.
If these users are making apps within your organisation, then they can register their app in your AAD and require access to your API. They will create and manage their own keys.
If on the other hand these users are making an app for another organisation, you'll have to make your API a multi-tenant app.
And you'll need to have an on-boarding page in your API through which you will redirect their admin/user to the AAD login page, where they will consent to any permissions your API requires.
After this a service principal is created in their tenant.
Then they can register their client apps and require access to your API.
They will have full control which permissions they want to assign to each app, what roles to give to users etc. But of course the tokens will contain their tenant id so you can filter access on that.
While learning about Azure AD so I can eventually switch our applications to start using that, I noticed that any account that we have, seems to be able to login to the application... I just have a web application on my local PC, and I added it to our Azure AD applications. We have Azure AD syncing with our AD environment. The application doesn't show up on myapps.microsoft.com, which is what I want to happen. The issue is that when I try to login to the application by going to the URL, with a test account, that account is just able to login... After one login, it shows up on that account's myapps page. Why is it just allowing any account to log in? I only have partial access on our Azure portal, and can't even manually give access to applications. Is there some setting that I need to set to only allow access when it is specifically granted to the account? I've been looking around for a while and watching a few videos, but I haven't seen this covered anywhere.
In Azure AD , if you want to restrict access to particular users in the directory , you could try below ways :
Use group claims in Azure AD . In your application , check the group claims in the authenticated user’s claims collection , restrict access base on your requirement .
Set User assignment required? setting( find the setting in Enterprise applications-->Your application -->Properties) to Yes, then users must first be assigned to your application before being able to access it . You could assign default access role to uses who can access your application . Click here for how to assign role to user .