We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.
The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.
Thanks.
Edit:
A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.
We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.
AAD does support roles / groups and you can administer them from the Azure Portal.
Howeve, these are not passed in the "canned" set of claims.
You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.
Update:
ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.
I assume your cloud app. runs in Azure?
Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.
Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.
So two options:
Customer does not have Azure tenant. They install ADFS and federate with AAD.
Customer's who do have Azure tenant use DirSync.
Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.
Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Hope that helps.
Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.
What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.
Related
I'm using Microsoft Graph API to access data from a variety of tenants' ADs. This is with a multitenanted Azure app hosted in my Azure tenancy. Authentication is handled using application level tokens and the client credentials flow; customer admins authorize the collection of data for their tenancy using OAuth. A customer is asking whether it's possible for me to restrict access to my Azure app based on location, so that our app dispenses tokens only to clients who are inside our data center.
It seems to me that this is not going to work. Microsoft recently added the possibility of conditional access based on workload identities; but are pretty clear that this only works for single-tenant apps, where the same tenancy hosts both the enterprise application and the app registration:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
Note
Policy can be applied to single tenant service principals that have
been registered in your tenant. Third party SaaS and multi-tenanted
apps are out of scope. Managed identities are not covered by policy.
But, I am not an expert and may be working on incorrect assumptions. Can anyone confirm or disconfirm what I have posted here? Is there some way I can provide what the customer is asking for?
As mentioned in the document that it is applicable only to the single tenants, If you want this feature to be available for the mutlti tenants as well you can raise a feature request for same here: https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform
I'm exploring options I have when it comes to implementing user authentication and authorization in Angular app with ASP.NET Core 3.1 backend that will be deployed to Azure AppService.
Only selected, invited users will be allowed to use application. There will be no "Create account" page accessible to everyone. There is a possibility that subset of those users will be our company users so leveraging their Active Directory identity and allowing SSO would be great. Application will be multi-tenant. Multi factor authentication might be needed for selected tenants/users (based on role for example). We don't want to allow logging in with 3rd party Identity Providers like FB, Google and so on.
Based on my explorations on I have 2 (4?) options.
ASP.NET Core Identity - simple, builtin, well known. But probably won't allow me to to implement SSO and users will need another login/pass. I'm not sure if it supports inviting users (out of the box) or is this something I would need to implement myself. Same with password resets. It allows me to add custom properties to stored user entity (TenantId) to allow me to implement multitenancy, but I need to deploy SQL Server database and manage it myself.
Azure AD (B2B, B2C) - this is new to me. How I understand it is that with Azure AD Connect I could synchronize users between AD and Azure AD and this would allow me to implement SSO for our company users. Only selected OU's could be synchronized and based on groups in AD they could be assigned different roles in our app. Then assigning roles is responsibility of people which are already managing those users in AD. If person is released and their account is removed/locked in AD they lose access to our app. If they're removed from specific group they lose access to our app. And probably all our company users are already in Azure AD - I see myself and my colleagues in it when I use my work e-mail to login to Azure portal. When it comes to supporting users which are not in our AD I tested that I can add "Guest users". At first I thought this is something I would need Azure AD B2C for but looks like it's not the case. Then what is Azure B2B and B2C for? In this case I don't need to manage SQL database and have user managment for free. Both on AD and Azure Portal site. I don't know if I can add custom properties to users (TenantId).
Which one of those options is better? Maybe there are other options?
Azure AD B2B is indeed the way to go for your requirements.
B2C is required when you would like to open up your application to external users while allowing them to login using social providers.
You can read more about the differences between Azure AD B2B and B2C.
Lets say I set up and create a new Azure Account and Subscription. Azure automatically creates me an Azure AD called "somedomain.onmicrosoft.com".
Later I deploy REST API and Angular SPA app to Azure. Since I'm using Azure AD for authentication and authorization on both of the applications I register them on my Azure AD, under the domain "somedomain.onmicrosoft.com".
Everything works fine, however after some time I realize that I want to allow access to my services/apps to other organizations. After doing some research I realize that what I want to achieve is multi-tenancy.
In order to register a new tenant I do the following:
Go to Azure portal.
On the left blade menu click on "Create a resource" and search for "Azure Active Directory".
Create a new directory called "tenant-1.onmicrosoft.com".
Next, I update my registered apps (on "somedomain.onmicrosoft.com") according to this documentation - enabling multi tenancy and common endpoint.
After all of this, both users from AD "somedomain.onmicrosoft.com" and "tenant-1.onmicrosoft.com" should be able to authenticate and access my services.
Question
Is this the correct way of achieving and implementing multi tenancy?
You don't need to create a new Azure AD tenant (xyz.onmicrosoft.com). Just register the application in the existing tenant or mark the existing application as multi-tenant. Then, existing other AAD tenants will be able to signup to use your app without doing further registrations. You will need to modify your app code to accept tokens from other tenants, e.g. enter link description here This link points to a regular .NET web app, not SPA. You will need to translate it to your SPA environment.
I'm not sure of your high level use case but one thing to note about the AAD multi-tenant approach. You are assuming that person signing in has an Azure AD tenant, for example through Office365.
If they don't have an Azure AD then they won't be able to sign in.
You 'could' create an AAD for each new tenant and create a user account in there.
They would have the bob#mydomain.onmicrosoft.com address and could add their own domain later.
That way they can then take advantage of all the enterprise features of AzureAD.
It might be a use case, but I think you would need an AAD per tenant and I'm not sure of the limits or if this is best practice.
You can also look at B2C if you want social logins/other OpenIDConnect.
I'm quite new to all things MS/AD and coming from the app developer side of things so please bear with me if i'm not using the right terminology. I can't find confirmation in the online docs for this, so grateful for any ideas or links that could be helpful.
The scenario: my organization is a O365 shop and have a bunch of stuff in Azure. One project is a custom platform with several web apps. Most are accessed by our own folks via SSO, but some of these apps will be accessed by external users from our partners/vendors. A couple of these are MS shops but most are not and we can't require MS accounts.
The twist: we need to delegate user management to our partners/vendors. So as an example, for app3 we will have tons of partner/vendor organizations that need access. We want to give 1 person from that organization the responsibility of inviting their colleagues and removing folks when anyone leaves their organization. In many cases, they won't necessarily have the same email address domains so we can't restrict/group in that manner. In other cases, we need each national office of a global organization to have its own delegated admin to manage staff so there may be separate organizations with users that have the same email address domain.
My questions: Is Azure AD B2C the right approach for this?
Can it support this kind of delegated management (something like https://learn.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-self-service-group-management)?
Would we need configure a separate Azure AD B2C directories for each external organization or should these be groups within one Azure AD B2C directory?
At this time there is no out-of-the-box support for user management delegation in Azure AD B2C, whether it's delegatin user management to other B2C admins using local (.onmicrosoft.com) accounts or external users using local (#myemail.com) or social accounts. Azure AD B2C does not support self-service group management capabilities either. You can request either of these in the Azure AD B2C feedback forum.
Is the same instance of these apps going to support people from these multiple organizations?
If the answer is no, meaning that your are going to have one instance of the app for organization A, and another for organization B, you can definitely have multiple Azure AD B2C directories and wire up each application to each directory.
If a single instance of these apps will need to support multiple of these organization, then I can think of two options for you:
Use Azure AD B2C and build all the delegation and user management logic yourself. You can have a custom attributes to assign users their "organization" and another to indicate whether they can manage users or not. You would then need to create a user management UI that queries the Graph for all users that are in the same "organization" and let the user manage those. You would also need to build the invitation feature, first into this UI by creating the user through Azure AD Graph and setting its "organization" claim accordingly, and then by directing users to the Password Reset policy as their "account verification" flow.
Use Azure AD and the B2B collaboration feature (including its ability to delegate invitations). This also opens up the self-service group management capabilities you referenced. If you don't want these users to get access to other things in your organization, you would probably want to create a separate Azure AD tenant for this and also invite people from your on Azure AD via B2B collaboration.
Conceptually, B2C is meant for external users, and Azure AD is meant for internal users, with B2B complementing those internal users with partners that collaborate enough with those internal users to be almost thought of as internal users. That being said, use whichever one best suits your needs. Don't forget to keep in mind that their pricing model is very different.
my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.