Will the Azure AD UserInfo.UniqueId property always have the same value coming out of the Azure AD instance?
Once a user is Authenticated via Azure what can I use to fetch the roles and privs from our side (we have an existing structure). Since we don't have a password, I was thinking that we could store the Unique Id of the Azure AD User and look up the roles and privs that way....thoughts?
The UniqueId is sourced from the "best" identifier we receive from the service. In the most common case today that is the ObjectId of the user - which can indeed be used for retrieving more info. Please refer to https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/api-catalog for more info on the queries you can perform.
Related
I've successfully implemented the following sample/custom policy in our B2C configuration:
A B2C IEF Custom Policy which links a Federated login against a pre-created Local Account
Users from an Azure AD are allowed to login to our application if a Local Account exists. This Local Account includes a custom field that points to the oid of the AD user that wishes to login.
However, the sample is for single-tenant. I'm in the process of adjusting it for multi-tenant.
When linking an Azure AD user, is it okay to depend on the uniqueness of the guid/oid? Is the fact that a guid could be generated twice (even though it's really unlikely) a security risk? I.e. a second user with the same guid could have access to data they're not supposed to see?
I'm assuming it's not an issue within a single tenant - each user inside a single Directory needs to be unique. But is that true across all Azure AD Directories? Could one machine generate the same guid for two users across two different Directories?
Am I better off figuring out how to compare against the issuer and the issuerUserId in combination?
• The ‘issuer’ and ‘issuerUserId’ input claims values represent the ‘socialaccountprovider’ or the ‘identityprovider’ and the ‘value’ of the key claim in base64 encoded format respectively. Thus, the issuer value represents the social identity provider which provides the identity details for logging in to the Azure AD B2C application while the issueruserID represents the secret value that is used by the IDP or that social identity provider for providing the identity details in an acceptable encrypted format to Azure AD B2C.
• And AFAIK, GUID for an Azure AD user is unique as it itself abbreviates for Globally Unique Identifier. Also, in Azure, every user has a unique object ID no matter where the user comes from because the object ID is GUID format, and it will generate a unique GUID for each user when adding a user to Azure AD.
But there could be two same object id(guid), but it's a very small probability (very very small, for example if you have 100,000,000 users in all your AAD domains, then the probability of existence of two same object id is about 1/3.4×10^30, so you can ignore that). You need to perform a validation to guarantee the uniqueness of object ID and GUID in a domain, so in AAD, the GUID is generated based on machine information, current time, and other factors.
Thus, when you are talking about generating the same GUID for two users across different directories, you should think that for identifying a user, the object ID as well as tenant ID is used. In this case, if the object ID is unique then the tenant ID is useful to find the user in a multitenant scenario. For more information, kindly refer to the below links: -
Azure Active Directory User Object Id (Guid) uniqueness across all AAD domains
https://learn.microsoft.com/en-us/azure/active-directory-b2c/social-transformations
I have an application that requires some records to exist in a database for registered users. I've created a custom Azure AD B2C policy that pushes this user information to the database through REST API claims exchange. This also allows the records to be updated when the profile is edited.
Now I'd like to remove records for users that are deleted from the B2C tenant.
Is there any way to receive a notification of some sort when users are deleted?
Have a look at differential query. You will need to use a batch service (using client credentials flow to get an access token) that periodically runs the query to get the deleted users.
I'm transforming a legacy system that stores its users in a database (including credentials) to use Azure AD B2C for authentication.
My first step is to rewrite the frontal API (the API that serves the web client directly)
Because many other systems and database tables depend on the users table and its columns, I've decided on creating a db user for every new azure ad registration.
This is the problem, the user id in the database is the primary key, an auto incremented number.
The id that I extract from the access token claims is a ad object identifier, a GUID.
To be able to relate an ad b2c user entity to a database user entity, I will have to create a new column in the users table, AzureObjectId.
The problem is that now I would have to constantly do the conversion between AzureObjectId which I extract from the access token, to the database users id, because other database tables and other internal APIs that I access expect a database user id.
What would be the right way to tackle this?
What I can thinks of is
Transforming AzureObjectId to database user id during every interaction with the database or another internal API.
Once my API creates the database user, use the Azure AD B2C Graph API to add a new claim, database user id, to the user.
Both of these I want to avoid.
Is there someway to enrich the access token with the database user id?
I would go with second option as its a one time operation and system doesn't need to do the conversion every time.
Update with details
This seems to be a migration scenario as well. Check samples here
You will also need to use Restful api feature of custom policies as well.
During the signup process, execute a restful technical profile which will call an api in contoso (your) service to create user. The contoso service will return the database user id of the newly created user. This new userId can be used as a subsequent claim for the user and AzureADB2C will create the user with that extension property.
The another approach is what we discussed earlier. After signup the user can be created by the service and for the first call, service can insert a claim for itself with new database user Id.
Yes - use custom attributes
You can add custom attributes via the portal and select these to return them as claims in the token.
The Graph API link above shows how to create them programmatically.
So if you populate the database user id into the custom attribute you'll be able to return it in the token.
I am trying to create a new user for an application which uses CosmosDB. From the documentation, it expose a service method to create a new user.
I believe the created user can access the Cosmos DB provided the users are updated with certain permission to the collections
And my query,
Is there a service method to create a user with password? If not, any alternatives to do the same?
Is there a way to see the created users in Data Explorer rather than List Users?
1.Is there a service method to create a user with password? If not, any alternatives to do the same?
As I know, no such method in cosmos db. Based on this document, Azure Cosmos DB uses two types of keys to authenticate users and provide access to its data and resources. User and permission is resource token type here. It's meant to avoid the risk of master key exposure. It is authenticated by token,can't be password.
If do want to use password for authentication, maybe you just have to protect the token by password with your own logical code. Other words, you get the above resource token first then manage the mapping relationships between user and resource token by yourself.
2.Is there a way to see the created users in Data Explorer rather than List Users?
It can't be found on the portal now.You need to list users and permissions using sdk or rest api. You could commit feedback here to ask azure cosmos team to add this feature.
I am trying to consume Microsoft Graph API to provision/de-provision users and groups to/from Azure Active Directory. I want to be able to add users to Azure active directory(AD) from any local database or HR system not just from local AD. Each of these local databases have thier own unique identifiers for the users. I need to store these unique identifiers also in the Azure AD when I create the users in Azure AD.
In the documentation(https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/user) , it is mentioned that onPremisesImmutableId can be used for this purpose only if you are using a federated domain for the user’s userPrincipalName (UPN) property.
My question is: What to do for user identities in local database where federated domain is not relevant? Can I use onPremisesImmutableId property for storing these unique identifiers in Azure AD. If so, will I be able to do CRUD operations on User object using onPremisesImmutableId property?
Please guide me on this..
Thanks so much...