I want to migrate an application from Azure AD v1 authentication to Azure AD v2. Does that mean that the existing tokens that I have stored won't work after I switch to AD v2?
I assume you mean the refresh tokens? No, v1 refresh tokens will not work if sent to the v2 endpoints.
Related
Scenario:
Managed GCP Applications hosted on GCP with a Google cloud identity setup for customers
Want customers to access GCP managed service using their own IDP
Question:
Can I use Azure AD b2c as an IDP for Google cloud identity ?
Looking for a solution or alternate solutions which may not be that expensive
Azure AD B2C is an OIDC IdP so yes, it can be used as a federated IdP in Google Cloud Identity. Due to the similarities between Azure AD B2C and Azure AD you can follow most of the steps detailed in Configure workforce identity federation with Azure AD and sign in users with the following Azure AD B2C specific replacements:
Create a new app. As a best practice, we recommend that you create a new application in Azure AD B2C and use only the application to obtain Google Cloud credentials. To create a web app for user sign-in with Azure AD B2C and enable your app to receive tokens from Azure AD B2C, see Register a web application in Azure Active Directory B2C. Do not forget to follow the Next steps.
Skip this one.
Azure APIM exposes web APIs from an Azure Functions app, each web API request is authenticated using Azure AD, and each API request is based on RBAC via AAD.
Does Azure APIM and AAD support this? Any link would be appreciated.
Update
I am looking for a way where APIM can do both authentication and authorisation, if possible.
Check below docs:
Configure your App Service or Azure Functions app to use Azure AD login
Assign Azure roles for access rights
Goal: Prevent the use of client ID and secrets when making calls to Graph API.
Is either of the following possible?
Use Azure Managed Identity (that has been given Microsoft Graph API permissions) in applications using Azure B2C for Authentication. Thus avoiding the use of client ID and secrets.
If 1. is not possible, used Managed Identity (that has been given Microsoft Graph API permissions) in applications using Azure B2C for authentication to access secrets in Azure KeyVault.
MSI does not work with B2C, B2C does not host Azure Resources or Azure subscriptions.
Instead you have your app hosted in the Azure Subcription tied to your Corp AAD, where you can create MSI's to access things like KeyVault (KV).
Unfortunately that does mean that you cannot use MSI to access Graph API in the context of the B2C tenant.
I would like to ask if it is possible connecting an Azure AD to an AD which is not an AD FS type? I have read some documentations regarding connecting Azure AD to an on-premise type of AD but AD FS is needed for it. Or is it possible to have an Azure AD connected to an AD DS? Or would it be better to use AD AAD Connect pass-through-authentication?
Or.....
Would it be better to use Azure Logic Apps?
Edit1: Seems like ADFS is optional.
Thanks!
I just want azure as the middle-ware for users to authenticate to
non-AD on prem.
As far as I know, for now, we can't use Azure AD in this way.
By default, authenticate user to AD if response is invalid, Azure AD will not redirect it to other page.
Azure AD connect can't sync non-AD users to Azure AD.
I am working on a project to migrate the Consumer faced application to the cloud.
Based on the pricing I prefer to use the Azure AD B2C tenant.
Tentative timeline for the Azure AD B2C GA ?
How can I sync/move the user object from On-premises AD to the Azure AD B2C tenant? Can we use Azure AD connect for this?
As stated in this FAQ,
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
No, Azure AD Connect is not designed to work with Azure AD B2C. We
will provide various migration options and tools out-of-the-box in the
future.
With the (beta) MSAL library (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet), you can add both B2C and your existing AD to your website, so both worlds (external customers in B2C and corporate users in AD) can login to the same site.
from: https://blogs.technet.microsoft.com/enterprisemobility/2016/03/31/microsoft-identity-at-build-2016/
MSAL is a developer library that helps you to obtain tokens from MSA, Azure AD or Azure B2C for accessing protected resources – such as your own API, Microsoft’s API (such as the Microsoft Graph) and any other 3rd party choosing to protect their API with Microsoft identity.