Azure AD application - Can it be part of a Security Group? - azure

I am creating a rest API which I am securing using OAuth2 client-credentials flow in Azure Active Directory. This requires me to set up the clients who should get access to my API as applications in Azure AD.
I would really like to take the AD thing a step further and have SQL Database access using AD Security Groups.
The question is; can I add an AD application to a security group and get Azure Active Directory login to work?

Related

okta integration with Azure ad

I am new to Azure as well as okta and now I am trying to configure okta users with Azure ad ,
I had created an application under enterprises application in Azure ad and provide access to all users in azure ad, now I want to provide access to one of my partner who uses okta but not azure ad now have to proved access to okta users to access my application which is in Azure ad.
This question is a little vague, but it sounds like you need to create a guest profile in Azure AD, locked down with RBAC (Very Important), to allow access specifically to your App. Imho you should let your partner worry about configuring their own Okta application, since you're basically working as their IT team if you start going into their Okta account to make changes. Also, if you break something, it's now your companies problem.

Can we access different Azure AD directories with single Azure AD App

I am currently using Azure AD app (Client Id and Client Secret) of one directory to get users details and Azure resources of the attached subscription though MS Graph and Azure Management API. Now i have added one more directory and subscription under my management group . I want to know if i created a multi tenant Azure AD app through App registration , can i access the users of other directory ? If yes what configurations are required ?
If you want to use a single Azure ad application to access different Azure AD directories, then you must configure the application as a multi-tenant application. Because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other Azure AD tenants. After the administrator consent, it will be added to other organization tenants as an enterprise application in. In addition, different tenants need to use different access tokens.

Authentication WebAPI service that will use Azure AD and Azure B2B

This isn't a specific problem question but a "cry for help".
My problem is this. Our organization is in the process of implementing Office365.
Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.
We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.
I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...
My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1
But create Provider for AzureAD. But then its still question about this B2B AD part.
Please help by pointing to some up to date resources..
You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.
Then you can administrate everything you want (e. g. which user has access to which application) within the Azure Active Directory blade from the Azure Portal.
You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.

Authorization of web app to Azure AD role or group

Do we need Azure Active directory premium to do Role-based or Group based Authorization ?
I ask this question because my Azure portal is not giving me "Users" tab as mentioned in this link.
Group-based access is a Basic/Premium feature as defined here.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD.
You can only assign individual users to apps after you enable User assignment required to access app. But the Users tab should definitely be available though.

ActiveDirectoryMembershipProvider with Azure Active Directory

I realize there are other (preferred) ways of implementing authentication with Azure Active Directory, but is it possible to use the standard ActiveDirectoryMembershipProvider with Azure Active Directory for an Azure website?
No. There is no way to use ActiveDirectoryMembershipProvider with Azure Active Directory.
. (Period) :)
Why?
ActiveDirectoryMambershipProvider uses Active Directory Application Mode (ADAM) server and talks to AD over LDAP protocol. Both of which are not supported by Azure AD. The replacement of LDAP in the Cloud is Azure AD Graph API.
You can however use the Claims Based Authentication / Authorization model and protect your web site with Azure AD. This will help with Authentication. Authorization - you can use the role based access control and have your Azure AD groups translated into ASP.NET roles.
Here is pretty long and well described process of how to protect a web site with Azure AD without writing single line of custom code.

Resources