I have a Azure Enterprise subscription, I am developing a Asp.Net MVC Web app and have following questions
My Web app will maintain user store, & authenticate users against it, It will also check user access rights and accordingly pull azure resources available for him. I just have one Azure subscription and the user logged in is not configured on Azure.
Is it possible to impersonate user i.e. I have azure subscription for Mr X. my Application user store has users A, B, C (they dont have azure subscription) - User A logs in to my web App and my web app invokes Billing and Usage API using mr X credentials. pulls the data and display only mr A specific usage data.
I know this is bit off tract requirement but my client is looking out for this scenario. they want user management on Custom App and not on azure. Please guid.
Your MVC webapplication hosted in azure has normally nothing to do with the users on your azuresubsciption. In your case you just need a the application to access the data in your subscription with the rest API. You can find more info on how you can authenticate your application to the API Management REST. Then you can use the API to get information out of azure.
Related
We have written some code (I hesitate to use the term "application") in .NET Core using Visual Studio 2019. This concept is relatively simple; when a user opens a "proprietary" Excel workbook (an Excel file that calls our code) the code goes out to a hosted (by us) Azure SQL Managed database and returns data based on the parameters passed in by the user.
In Azure, we have a single production App Service plan with an App Service dedicated to each client (company). My question is about security: I'd like to tie each App Service to the related company's Azure AD. I do NOT want to create an account on my Azure AD for each user, although I can certainly do this through the "invitation" process using B2B. Can each App Service be "pointed" to a specific external instance of Azure AD so that only users from that company can access the related data?
Thanks.
You may use two different flows:
Each WebApp will authenticate users from only one specific Azure AD tenant
One WebApp will authenticate users from multiple Azure AD tenants
Both solution can be achieved with Azure AD multi-tenant authentication application pattern.
Here are steps you need to implement:
Update App registration to be multi-tenant
Update your code to send requests to /common
Update your code to handle multiple/single issuer values
Here is a picture that describes the flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
I've deployed an asp.net web forms application to an app service resource. I've turned on the app service authentication and set it to Log in With Azure Active Directory.
I've created a guest user account and verified that the user can log in to my application. That user is also able to log into the azure portal, and although the user doesn't appear to be able to do anything in the portal, they can still get to the portal and see things. How can I create users that can access my app service but not the azure itself. And if I have multiple app services, how can I create users that are silo'd to specific app services?
There is no way to prevent a user which has been your directory to sign in Azure portal. Onece you invited the user to your directory, the user could also login azure portal. But I also want to make clear that the user can not do anything in your directory and Azure resources if you don't give him/her permissions.
And if I have multiple app services, how can I create users that are
silo'd to specific app services?
Well, this can be resolved. Since each Web App liknes to one service principal, you need to set User assignment required to be Yes in the Properties for that service principal and only assigned users (Add users in Users and groups) can access to login access to this app.
I understand the concept of AzureAD App Registrations and I'm using it in several projects. Now I need to generate a Web App that should be deployable as a component in any AAD. This Web App should use Azure APIs to discover components in the subscription it is deployed to which I don't know at develop time.
What is the preferred way to accomplish the app registration fully automated at deploy time? I need to register an app in AAD and then to store the informations (App Id, Tenant ID, ...) in my web.config somehow.
The problem is that you can't develop an app that has access to the Azure AD without it being registered first.
The Azure Portal and Powershell have access. Maybe you can use Powershell to script the permission grant in your scenario?
Otherwise, (I did this a while back for a solution) you can create a multi-tenant web app, that your customers' Azure AD tenant administrators can sign in to. With the tenant administrators granting access, the web app can then access their Azure AD graph API and create the required application definition for your application.
In my scenario the Azure AD client application ran on-premise. It required access to the Azure AD graph API and also needed certificate based authentication towards the Outlook 365 Exchange Web Service. So the web app could create the certificate, grant access to the required APIs, and let the user download the certificate, application ID etc. The on-prem app could then use the downloaded file as its configuration for accessing the Azure AD and other APIs.
This isn't a specific problem question but a "cry for help".
My problem is this. Our organization is in the process of implementing Office365.
Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.
We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.
I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...
My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1
But create Provider for AzureAD. But then its still question about this B2B AD part.
Please help by pointing to some up to date resources..
You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.
Then you can administrate everything you want (e. g. which user has access to which application) within the Azure Active Directory blade from the Azure Portal.
You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.
I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect