how to write a cloud-based Active directory .NET application - azure

I work for a network management company and I want to write a .Net application (MVC 4) that will allow us to service Active Directory users from a cloud-based application.
As I have never written a cloud-based app, I don't know if I'm using that term correctly or not. I am in the requirements gathering stage. Basically, I'd like to provide our customers with the ability, for example, to change their own password using our cloud-based application.
is this an application that should be written specifically using Azure? If not, what tools and platform(s) should I take into consideration?
What tutorials or other resources are available ?
Actually, I don't even know enough about Active Directory and Cloud computing to ask the right questions. But, I hope someone will point me in the right direction

Read How to Authenticate Web Users with Windows Azure Active Directory Access Control. There are great walk-throughs there. There is more reading and code samples here - Access Control Service 2.0.

That's using ACS.
You could go direct to Azure Active Directory if you wished?
Refer: Adding Sign-On to Your Web Application Using Windows Azure AD.
If you use Office 365, you already have an AAD tenant.

Related

How can you monitor activity from an App in Azure?

I have built a web application that uses Microsoft Graph to connect to OneDrive to upload files to a user's drive.
The web application is registered in Azure under the App Registrations and is also in the Enterprise Applications, having been granted permissions by an administrator to access OneDrive.
There is a section in the Office365 Admin Console to run searches and raise email alerts, however, the user that appears to be performing the action just comes through as 'app#sharepoint', so we cannot monitor what the actual web application is doing because this is too general.
The question I have is, is there any way to specifically monitor what this app is doing, in terms of uploading files or reading files? I don't know if there is any way set the user that the Enterprise App runs under, or if there is anything that the application can pass to identify itself?
To view a report on user specific activity details on OneDrive connected to via Graph to an app registered on Azure, use GET /reports/getOneDriveActivityUserDetail(period='{period_value}') or GET /reports/getOneDriveActivityUserDetail(date={date_value}).
You will however need Reports.Read.All application permission.
Please see the following documentation for a better understanding of the usage of this query: https://learn.microsoft.com/en-us/graph/api/reportroot-getonedriveactivityuserdetail?view=graph-rest-1.0#code-try-1

How can I use AAD for an Azure version of "Windows Authentication" from a Web App to a Web API App?

I have two applications:
MVC Site (User-facing Web App secured via OAuth -> Google)
Web API Site ("Private" Web Services)
These are hosted in an App Service Plan in Azure. These web services will only be consumed by my own applications - I don't need to worry about outside consumption. In fact, I specifically don't want outside consumption. My Web App is using OAuth to Google - that shouldn't matter here.
So to get to the heart of my question: My web services currently have no authentication/authorization model in the code but I don't want it just publicly available to anybody. On prem, we just lock this down via IIS using Windows Auth and set the service account for the consuming web app to run as a user that Windows Auth allows access to. I'd like to do the equivalent in Azure.
I understand Azure isn't exactly the same but I have to believe this is possible. I have even gotten my web services locked down the way I want using the settings in the Authentication/Authorization tab (I can try to navigate to it but I only get my Swagger UI once I login with a valid organizational account). So half of my battle is solved but I cannot figure out how to do the other half - the equivalent of setting the service account for my consuming MVC application to run as.
Can I do this via the portal without having to code specifically to this scenario? I'd really like a PaaS-level or IaaS-level solution for the security portion of consuming the above locked-down services. I'm also open to other avenues if I'm going down the wrong path in having a PaaS or IaaS security solution to this problem. I'm not against making code changes - we did have a one-liner in our RestSharp code to engage Windows Authentication, but the bulk of the work/configuration was outside of code and that's what I'm going for here.
If going the IaaS path you can host the application inside of an VM in the exact same way as you did before when running it directly on-top of IIS. The benefit is that you can get running the same way as before but you will still need to manage the VM; i.e install updates and take care of its security.
However, if you want to have a PaaS solution, then you need to modify the code of your front-end application to pass on the authentication token to the back-end API, assuming the back-end accepts the same authentication as the front-end. See https://azure.microsoft.com/en-us/documentation/articles/app-service-api-dotnet-get-started/ as an example on how to pass on authentication information from one app to another.
Alternatively you can use the app identity to make calls to your back-end API. This way the calls are not related to any user but are instead done in the context of the app. See https://github.com/Azure-Samples/active-directory-dotnet-daemon for more details on how to set it up, both configuration and needed code.
If you want to allow your users to sign-in using their Google accounts then you could handle authorization to your API using the app identity (second alternative above), assuming the API is independent of the requesting users identity.
Enabling authentication for a Azure Web App directly through the menus in the Azure Portal adds Azure AD authentication in-front of your application and require your to pass an access token generated by Azure AD to your API for it to work.

How to enforce Azure AD authentication on IIS server level

Is there any possibility to configure IIS server to enforce Azure Active Directory authentication in hosted application? I don't want to apply any changes to app's code, it would be great to provide this authentication only on server level/layer (configuration IIS). Is this even possible?
EDIT
I have situation like this:
Have many applications from a customers. Have Azure AD and users added there. I need to provide Azure AD authentication to these applications. Moreover, i shouldn't do anything with code of these applications so i thought that i can try to enforce authentication not on application level but on server level. I've been searching informations about possibility of this method but can't find any (only application scenarios supported by Azure AD https://azure.microsoft.com/pl-pl/documentation/articles/active-directory-authentication-scenarios/ ). The only thing i have found is Azure Multi-Factor Authentication but i don't think it is helpful.
We tried to find it, and all that i have found that there is no possibility to enforce AAD authenticatoin on the IIS level and that it should be set up on the application layer which is actually the only one recommended and described process on the sites and in the AAD-related articles. I would say, that it can be even hard from a technological standpoint.
Reference 1
Reference 2

Is it necessary to create an ACS with Azure Active Directory?

Is it required that I create my own Azure ACS if I want to use the Active Directory? Am I able to simply create a new application instance on the Active Directory Pane (on the Azure Management Console) without having an ACS to build on? I don't want to need to pay to create my own ACS niche.
I think you're talking about creating an "Access Control Namespace".
It actually isn't necessary to do so. You can register an application with Azure AD without having an ACN "niche" - having an ACN is something that is generally better for larger enterprise applications or those that have to handle requests on many different levels (with many different applications). So unless you're building something very large, there's no reason to set an ACN up on the Management Console (and you can continue to use everything for free with the AD functionality without an ACN). Hope this helps.

How do you create an Azure deployable WebRole that use LiveId and Access Control Service

I need some help with creating a simple WebRole that uses federated authorzation/authentication with LiveId and the Access Control Service. I'm able to get it working with a local test ASP.NET application, but can't seem to find any information on the steps necessary to do this with a Web Role that can be deployed to Azure. The only information that I've found is to handle this scenario using a custom STS and the ACS or just LiveID, but nothing that demonstrates using both together.
Is there currently a limitation with Azure that prevents this? I've read some articles that seem to indicate it isn't currently possible due to the Geneva Framework not being fully implemented on Azure - can anyone confirm?
Thank you very much for any help!
You may find this resource useful - http://code.msdn.microsoft.com/wifwazpassive. It shows how to use ACS in an Azure Webrole. It does use a custom STS, not LiveID, but given that it's using Geneva framework components it should be possible to make it work with LiveID.

Resources