I find the authorization flow confusing for calls to Azure's management APIs, i.e. not Azure API management which is the API gateway SaaS, and I'm hoping for some clarification.
From documentation at https://msdn.microsoft.com/en-us/library/azure/dn629581.aspx:
Although Azure originally allowed access only by Microsoft account users, it now allows access by users from both systems. This was done by having all the Azure properties trust Azure AD for authentication, having Azure AD authenticate organizational users, and by creating a federation relationship where Azure AD trusts the Microsoft account consumer identity system to authenticate consumer users. As a result, Azure AD is able to authenticate “guest” Microsoft accounts as well as “native” Azure AD accounts.
and http://blogs.technet.com/b/ad/archive/2014/08/15/prepping-for-new-management-features.aspx:
Your Microsoft Azure subscriptions uses Azure Active Directory to sign users in to the management portal and to secure access to the Azure management API.
The documentation leads me to believe the Azure AD tenant associated with a subscription acts as a STS with management API being the RP, or authorization server and resource server respectively using OAuth terminology. The tenant can also choose to trust third-party STSes, e.g. another tenant or Microsoft Account services, and thus allow for users from external identity providers access to the management API.
The blog post also writes:
Azure will soon require administrators to be registered in Azure Active Directory to be able to sign in to the Azure portal or use the Azure management API.
Disassociating an admin's account with the subscription's Azure AD tenant, irrespective if it is a "native" account to a tenant or a federated account, should in my mind revoke their access to the management APIs.
I tried validating the assumption using one my subscriptions and couldn't quite make sense of the result. Let's say the subscription has three admins:
Service admin SA using a federated Microsoft Account
A co-admin CA-AAD using an account "native" to the tenant trusted by the subscription
A co-admin CA-MSA again using a federated Microsoft Account
With all three accounts registered with the tenant, any of them can manage resources belonging to the subscription as well as use an web application that in turn access the Insights API through user impersonation.
Removing CA-AAD from the tenant disallowed the account from managing resources and accessing the Insights API once the cookie/access token had expired. This is the expected behavior, except the now non-exitant account still remains listed as a co-admin for the subscription.
However, removing CA-MSA from the tenant did not prevent the account from managing resources or accessing the API. This behavior even persisted between sessions and the account remained listed as a co-admin and not quite the expected outcome.
And now onto the questions:
Why is CA-MSA allowed continued access to management APIs despite it not registered with the tenant?
What is the authorization flow for accessing the management APIs?
How are accounts mapped to those listed as co-admins for a subscription?
Azure subscription refers only two directories for authorizing the users for accessing the management API.
the Azure AD to which the subscription is associated to.
Microsoft AD(MSA).
When a user with Microsoft Account is added as a subscription co-admin, user is indirectly registered in the Azure AD to which the current subscription is associated to. If the user is deleted from Azure AD, it still has the subscription access. It is because the user is still present in Microsoft Account AD.
Related
I want to create a multi-tenant application where users will log in using Azure AD B2C. I will grant access to certain tenants that are our customers using policies. Only business customers from select tenants will have access.
I have a customer that requires granular control over which of their users can access my application. From what I've understood, my application will be registered as a service principal in their tenant as soon as a user consents to the applications requested permissions.
That as all well, but the service principal is only a kind of account, with access to certain resources in their tenant that was granted when the application was accepted. When the application has been registered in their AD, anyone from that organization can sign in. When someone signs in, that automatically creates a Consumer account in Azure AD B2C in our tenant.
The consumer user can sign in to applications secured by Azure AD B2C, but cannot access Azure resources such as the Azure portal. The consumer user can use a local account or federated accounts, such as Facebook or Twitter. A consumer account is created by using a sign-up or sign-in user flow, using the Microsoft Graph API, or by using the Azure portal.
Now, I have a customer that also wants to control that only certain accounts within their AD can login. So basically, a user identity should not be able to access a service principal?
Is this a use case that is supported, and if so, how do I handle it and what terminology am I looking for? I don't want my organization to handle any of this if possible. I just want to give all users in a tenant access, and then it is up to the customer to grant/revoke access to individual users.
If I understand correctly, As you have created a multi-tenant application it will be registered in your tenant as a Service Principal and for the customers tenant it will be in Enterprise Application . So , if they want to give access to few users or a particular group then they can assign user/group to that particular Enterprise application.
Example:
Service Principal Created on my tenant :
It gets registered as a Enterprise application in other tenant So in there we can select Assign Users and Groups to give access to this Application from their tenant or they can set conditional access policy as well for specified set of conditions.
Reference:
Restrict Azure AD app to a set of users - Microsoft identity platform | Microsoft Docs
My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.
I created an Azure AD multi-tenant app using a company's tenant
Then created a test ASP.NET Core Web application which goes to a such URL:
The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.
It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?
I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant):
However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.
Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?
P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.
UPDATE
To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:
Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user#live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.
Thoughts.
The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.
ANSWER
Long story short, it's not possible for general public as per Microsoft.
Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.
It works with personal account when you use v1.0 endpoint.
That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.
The v2 endpoint does not allow personal accounts for the resource
https://management.azure.com/
Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.
You must identify the tenant to login in with personal account when use v2.0 endpoint
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default
Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.
Update:
It is normal that you can't do that. You are not telling Azure AD that
the which tenant the MSA user is an external user, so Azure AD is
making a guess and checking in the tenant where the app is registered
(tenant A). If you expect external users to be able to sign in, you
must specify the tenant where the guest has previously been invited to
(e.g. tenant B).
I am trying to create a multi-tenant application in Azure AD, which can login all users like Microsoft live/hotmail and also get the access permissions to access their management resource apis. I can get work accounts from other domain login but not live account. I get this error-
User account 'mitesh_***#live.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '382dfccb-33af-4567-90cd********' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have heard of MSAL v2 endpoint to login both type of accounts, but I heard that this endpoint doesnt support permissions to access Resource management libraries yet.
Is there any way to achieve this with ADAL or any other way?
Thanks,
Mitesh
The azure ad v2.0 endpoint supports both personal Microsoft accounts and work accounts from Azure Active Directory . But the v2.0 endpoint issues access tokens only for:
-The app that requested the token. An app can acquire an access token for itself, if the logical app is composed of several different components or tiers.
-The Outlook Mail, Calendar, and Contacts REST APIs, all of which are located at https://outlook.office.com.
-Microsoft Graph APIs. You can learn more about Microsoft Graph and the data that is available to you.
v2.0 endpoint doesn't support management apis .And azure ad v1.0 endpoint it supports work accounts unless Microsoft accounts are added as an external user in the tenant first . In my opinion , currently there is no other ways or workaround to achieve your requirement .
Before Azure AD B2C and Azure AD B2B come into the picture, usualy I added my applications to Azure AD of our tenancy and office 365 users could access the applications using their account (SSO).
I am not a guru so I need to see code and read about exact examples to understand the concepts.
Can I use B2C for SSO as I usually used Azure AD? otherwise how/when can I use B2C and B2B?
Thanks and appreciate all kind of advice.
Azure AD is a directory service with the goal of serving organisations and their needs for identity management in the cloud. You develop against Azure AD, you can secure your applications with it - their users in Azure AD tenants can use it.
Your application is targeted for a specific organisation or multiple organisations using Azure AD (Office 365).
Azure AD B2B is just a feature of Azure AD. It allows organisations to grant access to their applications and services for users from other tenants. From your app perspective nothing changes. It is still same Azure AD app. Azure AD B2B has an API which can be used to create flows for the invitation of users from another directory but it is not changing your app design, etc.
Azure AD B2C is another service built on the same technology but not the same in functionality as Azure AD. Azure AD B2C target is to build a directory for consumer applications where users can register with e-mail ID or social providers like Google, FB, MSA, known as Federation Gateway. The goal for Azure AD B2C is to allow organizations to manage single directory of customer identities shared among all applications i.e. single sign-on.
Azure AD B2C is not targeted at organisation users but consumers.
03.2021 Update: Microsoft has introduced a new solution which merges B2B and B2C - It is called "External Identities".
What is "External Identity":
It is a mechanism to allow you, to have external users, self-registration for them and control on their process, within your Azure AD (corp) tenants.
Why it is a merge between Azure AD B2C and Azure AD - those are external users, like in B2C, they can use their own username / e-mail (not a corp domain) and self-register, but within AAD Enterprise tenant. You can also extend authentication flows for External identities with calls to external systems similar like in AAD B2C.
Let's talk about scenario, application for schools:
Internal users -> Azure AD, covers internal applications, employees etc. in organization. User is in Azure AD
External users, like guest teachers from other school, partners -> Azure AD B2B, guest user in Azure AD
External users, but not associated with any organization, e.g parents who need an access to students grades in particular application -> External Identities, they can self-register, they exists within the context of specific app, you can call additional API to check, for example if they match the record in CRM during registration
External users, open to the internet, e.g. art contest for pupils -> Azure AD B2C. Anyone can register, students, teachers and employees can access it through Azure AD.
Pricing update: There is pricing update which affects Azure AD B2C and External Identities.
First - price is per monthly, active user (MAU). MAU means someone logged on at least once during the billing period (month).
Second - first 50k users in Azure AD B2C or external identities are Free. So first 50k users in a month, free - next are paid, so 60k active users within a month costs something like 16USD.
Simple:
Azure AD - apps for organisations and their corporate users
Azure AD B2C - apps for customers, like mobile apps, shopping portals etc.
For quick reference I've gathered this in blog post: https://www.predicagroup.com/blog/azure-ad-b2b-b2c-puzzled-out/
For update on External Identities and reference in video format, I've gathered it in this video: https://www.youtube.com/watch?v=E6S1yJKTB7c
Here is the 'official' doc comparing B2B and B2C
We have three differnt websites and we want to use Azure AD for the purpose of single sign on. My question is how do I add users to Azure AD (via API) who could have differnt emails such as foo#gmail.com, bar#yahoo.com, baz#outlook.com, etc
When I try to add users with these emails to Azure via API, I get the error:
Property userPrincipalName is invalid.
If however I add users with azure tenant name (like reinhold#mytenant.onmicrosoft.com), they are added fine.
I searched in forums and google but to no avail.
So is there any way to add users having gmail/yahoo/outlook/other email addresses to Azure AD using API ?
Thanks
Short answer: you can't. Azure AD will support only users whose domain name is your own onmicrosoft.com domain, or that have an email address for a custom domain for which you have the rights to represent. If you expect people to signup with #yahoo or #gmail, etc addresses, Azure AD is not the directory you are looking for.
AAD supports consumer owned accounts through guest flows with MSA. So, your users can create an MSA for their #yahoo or #gmail account (the #outlook account is already an MSA). Then, you can invite the user to be a guest in your tenant using the Azure portal (just as you would invite an AAD user from another tenant to be a guest). See: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users/.
There are two options here:
B2B Azure AD Tenant - where You add those users as guests. Your guests can be External AAD accounts, MSA Accounts, and you can setup federation for Google easily, and others. You can also enable "passcode" authentication to allow any email to be used without signup. They are emailed a one-time passcode that works for 30 days.
B2C Azure AD Tenant - This is where you are creating an authentication for a public site and want folks to use any email. It is presetup with lots of federation for you to configure.
From https://learn.microsoft.com/en-us/azure/active-directory/external-identities/compare-with-b2c as of 2021/04/20
What are External Identities in Azure Active Directory?
With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. Your partners, distributors, suppliers, vendors, and other guest users can "bring their own identities." Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The external user’s identity provider manages their identity, and you manage access to your apps with Azure AD to keep your resources protected.
External Identities scenarios
Azure AD External Identities focuses less on a user's relationship to your organization and more on how the user wants to sign in to your apps and resources. Within this framework, Azure AD supports a variety of scenarios from business-to-business (B2B) collaboration to access management for consumer/customer- or citizen-facing applications (business-to-customer, or B2C).
Share your apps and resources with external users (B2B collaboration). Invite external users into your own tenant as "guest" users that you can assign permissions to (for authorization) while letting them use their existing credentials (for authentication). Users sign in to the shared resources using a simple invitation and redemption process with their work, school, or other email account. You can also use Azure AD entitlement management to configure policies that manage access for external users. And now with the availability of self-service sign-up user flows, you can allow external users to sign up for applications themselves. The experience can be customized to allow sign-up with a work, school, or social identity (like Google or Facebook). You can also collect information about the user during the sign-up process. For more information, see the Azure AD B2B documentation.
Build user journeys with a white-label identity management solution for consumer- and customer-facing apps (Azure AD B2C). If you're a business or developer creating customer-facing apps, you can scale to millions of consumers, customers, or citizens by using Azure AD B2C. Developers can use Azure AD as the full-featured Customer Identity and Access Management (CIAM) system for their applications. Customers can sign in with an identity they already have established (like Facebook or Gmail). With Azure AD B2C, you can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. For more information, see the Azure AD B2C documentation.
Compare External Identities solutions
The following table gives a detailed comparison of the scenarios you can enable with Azure AD External Identities.
External user collaboration (B2B)
Access to consumer/customer-facing apps (B2C)
Primary scenario
Collaboration using Microsoft applications (Microsoft 365, Teams, etc.) or your own applications (SaaS apps, custom-developed apps, etc.).
Identity and access management for modern SaaS or custom-developed applications (not first-party Microsoft apps).
Intended for
Collaborating with business partners from external organizations like suppliers, partners, vendors. Users appear as guest users in your directory. These users may or may not have managed IT.
Customers of your product. These users are managed in a separate Azure AD directory.
Identity providers supported
External users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers, Gmail, and Facebook.
Consumer users with local application accounts (any email address or user name), various supported social identities, and users with corporate and government-issued identities via direct federation.
External user management
External users are managed in the same directory as employees, but are typically annotated as guest users. Guest users can be managed the same way as employees, added to the same groups, and so on.
External users are managed in the Azure AD B2C directory. They're managed separately from the organization's employee and partner directory (if any).
Single sign-on (SSO)
SSO to all Azure AD-connected apps is supported. For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.
SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported.
Security policy and compliance
Managed by the host/inviting organization (for example, with Conditional Access policies).
Managed by the organization via Conditional Access and Identity Protection.
Branding
Host/inviting organization's brand is used.
Fully customizable branding per application or organization.
Billing model
External Identities pricing based on monthly active users (MAU). (See also: B2B setup details)
External Identities pricing based on monthly active users (MAU). (See also: B2C setup details)
More information
Blog post, Documentation
Product page, Documentation
Secure and manage customers and partners beyond your organizational boundaries with Azure AD External Identities.
About multitenant applications
If you're providing an app as a service and you don't want to manage your customers' user accounts, a multitenant app is likely the right choice for you. When you develop applications intended for other Azure AD tenants, you can target users from a single organization (single tenant), or users from any organization that already has an Azure AD tenant (multitenant applications). App registrations in Azure AD are single tenant by default, but you can make your registration multitenant. This multitenant application is registered once by yourself in your own Azure AD. But then any Azure AD user from any organization can use the application without additional work on your part. For more information, see Manage identity in multitenant applications, How-to Guide.