I am currently developing a WebApi 2 service which is hosted in Azure. I now need to add Authentication and ideally Authorization to this service. I was expecting to be able to do this with Azure Active Directory but have a number of questions
Will my users have to login via the standard Azure sign in portal?
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Will I programatically be able to modify a users details such as forgotton password etc
Sorry for the general question, but I am stuck trying to find out if I am looking at the right technology to be able to meet these requirements. If not, would really appreciate any suggestions on what to use instead.
Will my users have to login via the standard Azure sign in portal?
Yes, but the branding of the portal can be changed in the basic and premium editions of Azure AD.
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
No, you can register your own domain and associate it with a directory. Or you can sync on-premise accounts to an Azure AD directory and use those email addresses.
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Yes, using the Graph API you can create and manage users. You can also assign them roles or make them part of a security group.
Will I programatically be able to modify a users details such as forgotton password etc
Yes, using the Graph API.
Related
I have a SaaS application that I use SCIM user provisioning with and I want my guests to be fully controlled through my AD. I can map any field from Azure AD to my SaaS app so I want to create aliased fields for my guests.
Example:
My domain: #lovestackoverflow.com
My guests: Can be anything but lets say joe#letmein.com for example
I want to create an aliased field (or attribute) for Joe to be something like joe-ext#lovestackoverflow.com - This account needs nothing to do with #lovestackoverflow.com or have an email etc. The purpose of this is for the SaaS app to be passed this information as it expects is.
Can anyone point me in the right direction with how to do this in Azure AD?
Apologies, I am a complete Azure Noob :)
In my opinion you have two main options:
you can create a user for joe under your tenant (lovestackoverflow.com) and restrict his access only to login to this app. Let him authenticate with a regular account under your tenant and enable 2FA
If you are managing this app thought Azure Enterprise Applications, you can add his user and assign him access to authenticate with his guest user.
More information about how you are managing your saas application will be helpful.
If you're synced from on-prem, use an on-prem attribute to hold that "alias" information and then sync it to Azure AD via AAD Connect's Directory Extensions feature. If you're cloud-only, you can try using AAD's MS Graph Schema Extensions feature, documented here: https://learn.microsoft.com/en-us/graph/api/resources/schemaextension?view=graph-rest-1.0
At that point, just choose whatever your source attribute is that holds the alias information in the SCIM provisioning config and point it towards whatever your target SCIM app's attribute is called.
We want to use Azure AD as the Identity Provider for users in a web application. At the moment, we have everything set up using MSAL.js 2.0 with the Auth Code Flow, a custom scope, and access token which is used to authenticate requests towards our various backend services.
The issue is that our users want to be able to login with their own custom email addresses, instead of their login ids generated by AD and with the #onmicrosoft.com domain. For example, user1#some-orginization.com or user2#some-other-organization.
It would still be okay to accept the login ids as usernames as well, but surely there must be a way to allow users to use another property of the profile (their alternate email for example) to log in.
Our application is registered to AD such that it will allow only logins from one tenant, since we don't want to require users to already have existing Microsoft Accounts.
We're avoiding B2C because some users would face issues with their company policies, which would mean they could be invited as users, but would be rejected at login. Also, B2C does not really support Roles like B2B does, which is somewhat important for us.
Any guidance will be greatly appreciated.
EDIT:
After countless hours of attempting to make this work, I decided that it just isn't worth the effort, and switched to Auth0. They provide everything I could possibly want, and seemingly even better Azure AD integration to other tenants then Azure AD itself.
I think what you want to express is that you want to log in to your application with any email (including personal accounts and social accounts).
If so, then you need to modify the application's manifest configuration and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
I needed to have Custom OU (long story, but to integrating a legacy app with Azure AD that uses LDAP to look for users in specific OU's).
So I added the Custom OU using Active Directory remote administrative Tools following the advice here Microsft document
I have added the custom OU's added users into them, so far so good.
Only issue is I can't login with any users added through the VM. When I try to login to Azure I get this error (This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.)
Any Ideas why this is the case, is this by design?
or maybe I am not entering something that is required. (Although the domain and all the details match the user is added to domain users group)
when you add custom OUs in azure ad Domain services ( AAD DS ) there are limitations to objects added to those custom OUs, such as.. exactly what you mentioned. those users are not available in azure ad. Only to the AAD DS connected devices. it's like a local domain user.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/create-ou#custom-ou-considerations-and-limitations
User accounts, groups, service accounts, and computer objects that you
create under custom OUs aren't available in your Azure AD tenant.
These objects don't show up using the Microsoft Graph API or in the
Azure AD UI; they're only available in your managed domain.
iam currently researching how to implement Single Sign On for our WebService.
This is what i came up with so far.
If a customer of our WebService has an AzureActiveDirectory they can log on with their active directory user account to our WebService if we provide the nessecary interfaces for SAML, Oauth2, OpenID or whatever authorization protocoll we chose and azure supports.
The customers could also have their local network Active Directory synced to their Azure AD and use their Domain accounts to log on to our WebApplication.
Customers need to use the myapps.microsoft.com portal to "wrap" authentication.
Once everything is set up correctly the Identity Provider (AzureAD) would provide use with (e.g) an authenticated User Identity.
Here is were my problem begins.
Of course i need to somehow map the identity provided by the AzureAD to a certain Account for our WebService - we cannot simply use the provided identity.
As far as i understand it, you can grant AzureAD the right to create an Account on the target WebService in the name of the user which is currently signing in.
(Its called : enabling automatic user provisioning in the azure management portal).
However, when testing this with the Box, Canvas or Google apps i failed. Either i got an error or in the case of google apps i was just promted to login with my azure AD test account and then asked for a password and username of my google account (i set up SSO as an azure AD trust relation- so this should not happen)
Can someone provide some insights on how to accomplish the following?
Once the user is authenticated by SSO I want to create an account for our WebSerivce and then save the credentials for that user only in the Active directory of that particular user.
So if the user logs in the second time we can check wether there is an account already existing and log in the user with this account.
(I was told by microsoft that this might be possible with Azure Rights Management, but i cannot really find good documentation on that)
Storing the relationship: "Microsoft AD Identity <-> our WebServiceAccount Credentials" on our side is not desired because we cannot securly encrypt the data in a way that we DONT know whats in there. (or there is , and i dont know of it yet)
"Bonus Question":
Can i support SSO for a desktop application too? (Do i need a provide proxy web application or can the desktop app do this directly?)
Please see my answer to a similar question here: asp.net azure active directory user profile data
However - I'm trying to understand if you need something different. Are you expecting your customers to already have a directory and Azure AD accounts (maybe through having Office 365 subscriptions), and use those to sign in to your web app, or does your app scenario require creation/provisioning of user accounts into your customer's Azure AD directory? Provisioning can be done through graph API (as per your link), as long as the admin of your customer grants consent to allow your app to write to their directory. You can find some samples on github, and I recommend you look through https://msdn.microsoft.com/en-us/library/azure/dn499820.aspx and https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx for code samples.
HTHs,
I think, without testing it. That using the Graph API enables me to save custom data for any Directory User effectively enabling my desired functionality.
This is the documentation i found very usefull.
https://msdn.microsoft.com/en-us/library/hh974476.aspx
I have a few websites that are running mojoPortal and Yet Another Forum, and several custom websites with ASP.net web forms (vb.net). I plan to add additional ASP.net websites too. I would like to have a single sign on for all sites, be able to setup groups and roles per site, and store the user's full name, phone, email, and other custom fields.
Each website currently has its own ASP.net membership database. There are about 1000 total users. It would be nice to be able to import the current members into Azure AD, but it will be OK if each user has to create a new login account. I've never used active directory but it sounds like Azure AD will do what I want. I plan to move all websites to an Azure virtual machine.
Before I start testing, I want to find out if single sign on will work with various ASP.net websites, and how complicated the setup and configuration will be. Can I import users to AD? I guess if a website supports AD or LDAP, then AZure AD will work? I'm hoping it will be as easy as adding the AD connection string in web.config?
Thanks!
It probably wont be as easy as adding the connection string. The Ad SSO service needs to be implemented using WIF (Windows Identity Framework) in your application. If you are already using WIF then it could be that simple. If not then you will need to implement WIF.
See this blog post to help you get a better understanding of what is involved.
http://blogs.msdn.com/b/windowsazure/archive/2012/07/12/announcing-the-developer-preview-of-windows-azure-active-directory.aspx