ActiveDirectoryMembershipProvider with Azure Active Directory - azure

I realize there are other (preferred) ways of implementing authentication with Azure Active Directory, but is it possible to use the standard ActiveDirectoryMembershipProvider with Azure Active Directory for an Azure website?

No. There is no way to use ActiveDirectoryMembershipProvider with Azure Active Directory.
. (Period) :)
Why?
ActiveDirectoryMambershipProvider uses Active Directory Application Mode (ADAM) server and talks to AD over LDAP protocol. Both of which are not supported by Azure AD. The replacement of LDAP in the Cloud is Azure AD Graph API.
You can however use the Claims Based Authentication / Authorization model and protect your web site with Azure AD. This will help with Authentication. Authorization - you can use the role based access control and have your Azure AD groups translated into ASP.NET roles.
Here is pretty long and well described process of how to protect a web site with Azure AD without writing single line of custom code.

Related

Restrict Azure B2C to organizational accounts

I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.

Authentication WebAPI service that will use Azure AD and Azure B2B

This isn't a specific problem question but a "cry for help".
My problem is this. Our organization is in the process of implementing Office365.
Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.
We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.
I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...
My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1
But create Provider for AzureAD. But then its still question about this B2B AD part.
Please help by pointing to some up to date resources..
You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.
Then you can administrate everything you want (e. g. which user has access to which application) within the Azure Active Directory blade from the Azure Portal.
You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.

Azure AD application - Can it be part of a Security Group?

I am creating a rest API which I am securing using OAuth2 client-credentials flow in Azure Active Directory. This requires me to set up the clients who should get access to my API as applications in Azure AD.
I would really like to take the AD thing a step further and have SQL Database access using AD Security Groups.
The question is; can I add an AD application to a security group and get Azure Active Directory login to work?

How can I programmatically retrieve the domain name of the Azure Active Directory in a given subscription?

I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect

How to access Azure Active Directory?

I'd working on creating a ASP.NET 5 web application and would like to use ASP.NET Identity to manage users. I'd also like to use Azure Active Directory in a multi-tenant configuration. As I understand more about claims, I expect we will eventually create our own custom claims as well.
I see ASP.NET Identity can configure providers (Facebook, Google) but is it possible to set up Azure Active Directory to authenticate with Facebook / Google and have it flow through ASP.NET Identity? My guess is that flowing through Azure Active Directory would make our subsequent migration to claims authentication easier.
If so, any pointers to setting this up and road bumps that may be expected would be appreciated.
Regards,
Rajesh
Classic Azure Ad does not integrate directly with Facebook or Google, however the new B2C offer does. See http://aka.ms/aadb2c

Resources