I'm looking to see if it's possible to use both individual user accounts authentication along side Azure AD authentication in a single application. Either Framework or Core (ASP.NET).
So far it's been all Google searching and I'm not finding anything that clearly states one can do this. Secondly, I'm not very familiar with authenticating an application aside from the basics for both individual or azure ad (well documented examples / VS template code).
Any help, links, small code example from Startup.cs is greatly appreciated.
Thanks.
It's too vast topic to put into an answer as a how-to-guide. However, I would try to give you brief overview and enough references/examples to look at. Your scenario can be better solved by using Azure AD B2C in conjunction with Azure AD. I strongly suggest you to go through the overview from those links for foundational concepts first. Azure AD B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
In your case, you need to add Azure AD as identity provider in the B2C tenant, and add required User flow (personal/social login) which will enable your user to login with either organizational (AAD) or personal/social account by signing up. This explains how to configure custom policies in B2C to add AAD as identity provider in such case. And for example, this provides you guide to enable Azure AD and Facebook login.
Now coming to code/SDK part, since you are into C# and asp.net, your one stop shop should be the new Microsoft Identity Web library. It would make your life lot easier to wire up with Microsoft Identity Platform with minimal configuration and code, and also has pretty good documentation, reference and samples to handle most common scenario. For example, this is a sample for B2C. There are many more here for your reference in case you need.
I would emphasize your starting point should be Microsoft Identity Web for asp.net core.
Related
I'm trying to setup authentication against Azure DevOps using MSAL. I've followed Microsoft's sample but I can't get it to work with personal Microsoft accounts. Whenever I try to login with a personal account I get the following error:
This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.
In the sample I have only changed ida:Tenant to "common" and ida:ClientId to my application id. I've setup my App Registration by following the guide in the sample except for the "Supported account types" which I've set to:
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
What am I doing wrong or missing?
When configuring the application to use your app registration, you need also find the key ado:OrganizationUrl and replace the existing value to the URL of your Azure DevOps organization. Please note: This must use HTTPS. As it mentioned in Configure the application to use your app registration.
If you already replaced the ado:OrganizationUrl, you may have a try to change the Supported account types back to "Accounts in this organizational directory only" to see if it works for troubleshooting.
I spent a little bit time to get the samples working and the key steps required to accomplish this are:
the Microsoft personal account need to be added to an Azure active directory tenant. As MSAL uses Azure AD as a fundamental infrastructure.
https://learn.microsoft.com/en-us/answers/questions/228067/invite-or-add-personal-ms-account-to-azure-ad.html
Link the Azure Ad tenant (with the Microsoft personal account) to the Azure DevOps service Instance.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
To complete the sample, I used my MS personal account to sign up a free Azure account (so that I can test the Azure AD stuff), and used the same account to request a free Azure devops service account.
Thanks
In your question you mention:
"I'm trying to setup authentication against Azure DevOps using MSAL. "
So, the goal is to let Microsoft Account users logon to some part of Azure DevOps using MSAL? I'm curious what the exact use case is, but let's assume I understand you correctly.
The first thing that comes in mind is, are those users already invited to the AzDo organization? Please read here how to do this.
Doing this will add them to the Active Directory as a guest like this:
Alternatively if you just want to invite these users to Azure, please use the invite from: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
This site suggests this error occurs when the user doesn't have multi-factor authentication setup. You may need to have your Microsoft account setup with MFA.
Is there a way to mimic powershell's Get-AzureADUser to read AD properties on given users without having to register the C# console app I am trying to build with Azure?
I know you can run powershell in C# but I am wondering if there is a different route I can take to achieve the same thing WITHOUT registering the app?
Short Answer: No. You will need to register an application with Azure AD to be able to authenticate.
Longer Answer:
AFAIK all of the OAuth 2.0 grants for authentication supported by Azure AD will require some information about the client (i.e. registered application) that is being used to make the authentication call. This would be true whether you use ADAL Libraries or directly hit the relevant token/authorization endpoints.
You may already know but it's worth mentioning that the simplest and recommended way to do authentication/query user data with right privileges will be to register your application with Azure AD.
In fact default setup for Azure AD, is such that it promotes the use case of developers being able to register applications and consent to applications on their own behalf. Read here.. Who has permission to add applications to my Azure AD instance? and at the end it mentions that Microsoft itself uses the same configuration internally.
Full Disclosure: I know that some very knowledgeable people (Microsoft MVP's, Microsoft Azure AD team members) follow the azure-active-directory tag. So even though I think this is the right answer, your question is such that it would make sense to wait for more answers/comments to see if there is anything else possible.
Possible workaround if it suits your scenario:
In case you don't want to register your application just because you don't have permissions to a specific Azure Active Directory tenant, there may be a workaround possible.
You would still need to register your application but with a different Azure AD tenant or with Azure AD B2C, and then make your application as a multi-tenant. See this SO post for more details.
I'm building a .net backend for my Azure Mobile Service.
I would like to execute code whenever someone authenticates with one of the default providers (i.e. Microsoft, Google, Facebook etc.).
Some examples of what I would like to do during authentication:
Associate their MS/Google/FB Account ID with my own user accounts
Add claims to the ServiceUser
To sum it up: is there any way to hook into the server side execution of MobileService.LoginAsync(provider) in a .net backend?
Yes, you should look at the custom authentication feature of Mobile Services, which should be flexible enough for your use case: https://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/
You might also be interested in the new AAD B2C offering, which has a lot of features that might fit your scenario: https://azure.microsoft.com/en-us/documentation/services/active-directory-b2c/
I'm somewhat new to ASP.NET MVC and I hoped you can help me with authentication for my app.
I have a MVC application that needs to be authenticated using SQL Server Log Ins. This means I have to create roles and users in SQL Server, and all security permissions are managed at Database level. Roles, users, and permissions aren't constant and we should be able to manage them.
Any suggestion? Is there anyway to override default behaviors of Identity to achieve this goal? What do you think is the best way to implement this need? Should I Use AD or DB Logins are fine?
Thanks in advance
Based on my working experience with diverse login mechanisms, I would like to suggest you the following route
Choose AD as your identity provider[IDP]
Register your application as an Relying Party [RP]
Get the federation metadata from AD to set up your application
In case you have your AD Server with ADFS 3.0, refer this link for a sample
In case of going through the OWIN Federation Middleware, it should be very easy for you with little development effort as given in this link
With ASP.Net MVC5 & Owin this task of yours should be a piece of cake
For Azure AD based samples, refer here or for first hand information, read this article
I have an Azure account and currently a Mobile Service setup with a SQL Database so that my Windows Store app can communicate with the database.
I have developed sites using ASP.NET WebPages authentication. And I need something similar for my Windows Store app.
I have successfully gone through the documentation and tutorials on the Windows Azure website and implemented ACS (Windows Live ID, Google, Yahoo!, and Facebook) - but the thing is - I don't want Google, Yahoo!, Facebook or even Windows Live ID or Microsoft Account) logins - I want my OWN login but it seems that they don't give you this option (correct me if I am wrong).
I need to allow users to signup from within my application (that means, providing their name, DOB, email, phone, address, etc) and shove it all in my database.
Now, after implementing Microsoft Account login with my Azure service, I found out that you can't even get the most basic information about any user who has logged in to your application - not even an email address.
I have spent hours searching online for something that could possibly help but I am running out of keywords - and have not hit a single related result yet.
Does anyone know if this is possible? How would we go about integrating login and signup with a Windows Store app that set/gets this data into/from a Windows Azure service?
Any code, samples, links, tutorials, documentation, etc would be highly appreciated.
You have gone down the road of hooking up external identity authentication, which in my opinion for an external facing web application is a better approach. Benefits are:
Your application is only responsible for Authorization not Authentication. There is a whole lot of work involved in Authentication and a large number of best practices. Best let those who know best take the burden of this. This doesn't mean you shouldn't try and understand it though.
If your site gets hacked you don't have to tell them that their username / email and password combo has been compromised and they will probably have to change there passwords on other sits.
You are also making sure that your users don't have to remember / manage yet another username / email address password combo
If you really want to do the Authentication then that is fine but you will need to do it yourself. Have a look at examples on Asp.Net Membership. This is not the only way and nor is it the best way but there are lots of examples.
Now if you decide you want to use external authentication I can give you some pointers to help with your current implementation.
First thing to note that the Id you get back from Live, Google, Facebook can only be assumed to be unique for that provider. Therefore if you want to keep a profile in your system for that identity and you want to use more than one provider you will need to implement it in such a way that you can keep the id unique in your system and help you associate it with a provider.
Website Authentication with Social Identity Providers and ACS Part 2 – Integrating ACS with the Universal Profile Provider
As you have found out not all of the Authentication providers return the same "claims". A claim is something that user claims to have, such as an email address, name, date of birth, etc. All the ones you can use by default via the ACS return Uid and some return a name and email address. What you have to do is fill in the gaps. When someone registers you will need to pull the relevant claims and then ask them to fill in the missing ones. You may also want to map the different claims in the ACS to a common name that you can use in your app as one provider might use slightly different names.
Federated Identity with Windows Azure Access Control Service
Just because you do not handle Authentication you still need to be responsible for keeping your application secure. Half of the work has been done for you so your code should be a lot lighter but you will still need to make use of roles.
Windows Azure Role Based authentication (ACS)
The really nice thing about this approach is you can implement your application the same why SO have done with there identity model. You can allow users to associate multiple identities against their profile meaning they can login how they want to.
If you choose not to use the built in providers for ACS you will need to implement your own Identity Provider using SAML, OpenId, etc...
You can look into the Windows Identity Foundation (WIF) for implementing WS-Trust or WS-Federation.
There is also ADFS which has the same set of support but uses Active Directory with WIF and Azure has its own version of AD that can be used.
There is also thinktecture identityserver which can jumpstart your venture into IdP land, but I have not used it myself yet.
If you want to go the OpenId route there is DotNetOpenAuth.
If you're looking to add custom identity to your Mobile Services app, check out Josh's post on custom auth: http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx