I am new to Azure and hence need someone to guide me. I am trying to build a web app where internal users can be authenticated via Azure AD and external users via their external/social account. I understand Azure B2C allows for that approach. Below is what I have found:
Internal users on Azure AD - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant
External users - https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/gigya-tutorial
Sample MVC Code - https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C
Can someone please help me with the following:
Am I correct in my approach and the sample MVC code?
Theoretically, how will the MVC web app know when to redirect to internal and when to external provider on B2C tenant?
Will all internal users be available in my B2C tenant?
here is some documentation on how to do this:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=app-reg-ga
you need to create a policy that allows for multiple tenants in b2c. then add the claims provider for your allowed "azure ad tenants"
Related
I have setup Azure AD B2C for my project in .NET MVC. Its working perfectly. Now i want to fetch user information (who ever has signed up) from Azure side and display in my .NET MVC application.
Any good links I can refer or any suggestions will be very helpful to start with.
I have started with some setups like granting permission for user read in my application.
Azure AD B2C users tokens cannot be used against MS Graph API to fetch data, so you have 2 options.
In your .Net App use client credentials to get an App token to MS Graph API and fetch the users data. https://learn.microsoft.com/en-us/graph/auth-v2-service
Rather than fetching the data from MS Graph API, insert the data to begin with into the AAD B2C token.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy#include-a-claim-in-the-token
Or for User Flows, add the claim to the Application Claims section.
i am using jwt token authentication by sql using entity framework in my project which is working perfectly fine.
now we have to add Microsoft azureAD login in the project?
QUESTION 1:
we have two type of user 1st one is stored in sql and other are stored in azure and they are not same.
now we have to provide username and password login for sql user(This part completed using jwt token based login) and microsoft login for azure use?
when i use openidconnect to login with microsoft its not working in my project?
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
its not working.
what i actually want is to add both authentication like this.
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddJwtAuthentication(Configuration);
If you are having new non-Azure users, you will have to use B2C. Refer to An ASP.NET Core web app with Azure AD B2C
The above sample shows how to build an MVC web application that performs identity management with Azure AD B2C using the ASP.Net Core OpenID Connect middleware. It assumes you have some familiarity with Azure AD B2C. If you'd like to learn all that B2C has to offer, start with it's documentation at aka.ms/aadb2c.
The app is a basic web application that performs three functions: sign-in, sign-up, and sign-out. It is intended to help get you started with Azure AD B2C in a ASP.NET Core application, giving you the necessary tools to execute Azure AD B2C policies & securely identify uses in your application.
If you also want to integrate Identity (SQL) in your code, refer Introduction to Identity on ASP.NET Core.
Is there anyone that had to use Azure AD B2C but had to let users connect with Instagram ? It seems Azure AD B2C doesn't have the capacity to do that yet.
I found no information about this on any search engine.
Yes, it is possible to connect Azure AD B2C with Instagram using Custom Policies. These policies allow you to configure a custom policy setup that hooks up to any identity provider that supports OpenID Connect (any by extension some OAuth2.0 providers). Just to clarify, Instagram is not currently supported as an out of the provider, but entirely possible to configure.
There is no sample to do this on Instagram today, but we will begin working on a custom policy sample today. Watch for a code sample & I can update this answer.
I am working on an ASP.NET MVC application that uses Azure AD auth out-of-the-box.
What I want to do is define custom roles for certain users. For example, mark JohnDoe#contoso as a "Portal Admin" or SarahJones#contoso as a "Site Manager" - I want to do that without messing with AD roles, since I don't have full access to the AD internals.
I am fine deploying a custom DB to contain the roles. Is there a generic solution for this or do I have to implement my custom verification layer?
Update 1: I can deploy a custom role provider and connect it to a different DB, but am wondering if there is a more straightforward way to do this.
If you use Azure Web Apps, which supports ASP.NET MVC then you can use the Azure Active Directory authentication mechanism. Here is a blog post describing how to set it up:
https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. See this blog post for more details:
http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
To modify the permission levels, you should be able to use role claims. See this example for guidance:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
Accessing the manifest:
Is there a mechanism in Azure AD to have a completely headless authentication? Most likely this would mean (in my mind) that the server running the API would have a perpetual authentication session to Azure.
If the purpose matters... We have a need to expose our thumbnailImage attribute from AD and I just need to make it so that the server doesn't care who requests the image. So basically we will have https://domain.com/api/Image/userid and the api will return an Image object (image/jpeg). I have this functioning internally and now I'm just migrating to Azure.
I found this question... I just want to confirm two things...
Daemon or Server Application to Web API is the method I should be looking at
Using this method will function as I'm expecting... a.k.a. WebAPI can access that attribute and use it like I currently use it while inside our internal domain.
Indeed. Azure AD supports the client credential OAuth flow. Yes, you are looking at the right help topic. The corresponding sample application is here: https://github.com/AzureADSamples/Daemon-DotNet.
If you haven't already, use Azure management portal to register your WebAPI as an application in your Azure AD directory and add a client secret (under the section named 'key' in the 'configure' tab of the 'application'). This key will be used as the client credential.
To configure permissions for your WebAPI to be able to call Graph API using client credential flow token, go to the application tab in the Azure Portal, under Azure AD and in the section titled 'Permissions to other applications', add an 'Application Permission' to 'Windows Azure Active Directory' to 'Read directory data'.
What you refer to as perpetual authentication session is basically your WebAPI caching the access token to Graph, and getting a new access token (using client credential flow) when the current access token is about to expire.
Hope this helps.