I'm creating a multi-tenant application on Azure AD that needs access to OneDrive for Business for both cloud tenants and on-prem farms. Here is my scenario:
My application makes REST calls using the SharePoint 2013 REST API.
The scenario or class of the app is "Daemon/Server Application to Web API".
My app needs needs app-only permissions since the application runs at a scheduled time without user interaction.
Based on the class of app I'm building and the permissions I need, I'm using the Client Credentials Oauth 2.0 flow to allow app-only authentication. The admin running my app gives consent for the tenant once for the app, and then the app is allowed to run on it's own thereafter.
Everything works fine for accessing data on the cloud-only tenants, but I'm not sure if it's possible to also access data for on-prem farms that don't have a tenancy in Azure AD.
Note, I was able to make a SharePoint app that was able to access both, but SharePoint apps don't allow for apps with app-only permissions that grant full-control to a tenant on the fly, so I have to go the Azure AD application route because full control can be granted to apps on the fly.
Related
We have written some code (I hesitate to use the term "application") in .NET Core using Visual Studio 2019. This concept is relatively simple; when a user opens a "proprietary" Excel workbook (an Excel file that calls our code) the code goes out to a hosted (by us) Azure SQL Managed database and returns data based on the parameters passed in by the user.
In Azure, we have a single production App Service plan with an App Service dedicated to each client (company). My question is about security: I'd like to tie each App Service to the related company's Azure AD. I do NOT want to create an account on my Azure AD for each user, although I can certainly do this through the "invitation" process using B2B. Can each App Service be "pointed" to a specific external instance of Azure AD so that only users from that company can access the related data?
Thanks.
You may use two different flows:
Each WebApp will authenticate users from only one specific Azure AD tenant
One WebApp will authenticate users from multiple Azure AD tenants
Both solution can be achieved with Azure AD multi-tenant authentication application pattern.
Here are steps you need to implement:
Update App registration to be multi-tenant
Update your code to send requests to /common
Update your code to handle multiple/single issuer values
Here is a picture that describes the flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
I am currently using Azure AD app (Client Id and Client Secret) of one directory to get users details and Azure resources of the attached subscription though MS Graph and Azure Management API. Now i have added one more directory and subscription under my management group . I want to know if i created a multi tenant Azure AD app through App registration , can i access the users of other directory ? If yes what configurations are required ?
If you want to use a single Azure ad application to access different Azure AD directories, then you must configure the application as a multi-tenant application. Because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other Azure AD tenants. After the administrator consent, it will be added to other organization tenants as an enterprise application in. In addition, different tenants need to use different access tokens.
From what I read, AppRoleAssignment.ReadWrite.All should allow application to use Microsoft Graph SDK to do app role management programmatically. But how do I grant permission such that the application principal can only allow to manage it's own role but not other enterprise application?
The goal is to build a role management page in the web application to allow designated users to add/remove user to an app role for the same application without granting them access to the Azure portal.
Unfortunately, it's impossible currently.
Although we can add the user as the admin of the application principal on Azure portal and then we can do anything to the application principal on Azure portal, calling Microsoft Graph is different. It has to rely on the permission of Azure AD app.
But the Microsoft Graph permission AppRoleAssignment.ReadWrite.All is for all the application principals.
If you click on "F12" to open the developer tool of Chrome, you will find that the Azure Portal is using another API to finish the operation.
I tried to add my user as the admin of only one application principal through Powershell, but it still doesn't work for Microsoft Graph.
You can go to Microsoft Graph user voice to make a request to get the attention of the product group.
I understand the concept of AzureAD App Registrations and I'm using it in several projects. Now I need to generate a Web App that should be deployable as a component in any AAD. This Web App should use Azure APIs to discover components in the subscription it is deployed to which I don't know at develop time.
What is the preferred way to accomplish the app registration fully automated at deploy time? I need to register an app in AAD and then to store the informations (App Id, Tenant ID, ...) in my web.config somehow.
The problem is that you can't develop an app that has access to the Azure AD without it being registered first.
The Azure Portal and Powershell have access. Maybe you can use Powershell to script the permission grant in your scenario?
Otherwise, (I did this a while back for a solution) you can create a multi-tenant web app, that your customers' Azure AD tenant administrators can sign in to. With the tenant administrators granting access, the web app can then access their Azure AD graph API and create the required application definition for your application.
In my scenario the Azure AD client application ran on-premise. It required access to the Azure AD graph API and also needed certificate based authentication towards the Outlook 365 Exchange Web Service. So the web app could create the certificate, grant access to the required APIs, and let the user download the certificate, application ID etc. The on-prem app could then use the downloaded file as its configuration for accessing the Azure AD and other APIs.
I am creating a rest API which I am securing using OAuth2 client-credentials flow in Azure Active Directory. This requires me to set up the clients who should get access to my API as applications in Azure AD.
I would really like to take the AD thing a step further and have SQL Database access using AD Security Groups.
The question is; can I add an AD application to a security group and get Azure Active Directory login to work?