I am trying to have users create an account on my site, then have someone on my team add the appropriate claims for that user after they have created an account. How can I do this? I tried doing it via an SQL command here, but never got it working. Is there a built in way to add a claim to another user account?
Related
I have an Asp.Net Core 2.1 web application which uses Azure AD to authenticate users. The application has recently had the 'user assignment required' option set within AAD so that only certain users are authenticated to use the application. This works correctly though I am now looking to make the user experience better for users that have an account in AzureAD but have not been assigned to the application. Issues I have:
For user that has not been assigned, the OnRemoteFailure event is hit. I can potentially parse the failure message and look for text like 'The signed in user is not assigned to a role for the application' and direct the user to an appropriate error page. Is this the best way to handle this? I cannot see any other data I can tap into to distinguish this type of response?
Some users will have two Azure AD accounts and it is possible that one is assigned to the application and another is not. In the case that they sign in to the Azure account that does not have access to the application, they will be stuck with each click of Login taking them straight back to the website and the Unauthenticated page. Ideally the user needs to be given the chance to login using their other AD Account rather than having to clear their browser cookies to reset things. I'm not sure how I would go about this?
For the second part, I have found that adding:
options.Prompt = "select_account";
to
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
has done the trick and is allowing the user to switch account
I'm working on a .Net application in which user can authenticate with a form using an Id or a Microsoft account (Azure Active Directory). The problem is that a user who doesn't yet have an account on my application can still connect via AD. After authentication, I would like to redirect him to a registration page for his account to be approved first. Since he is already authenticated, is there a way to prevent access to other pages?
I need some help, Thank you.
I am wondering if there is a way to add already existing users in an AAD tenant to a different tenant programmatically? I can only see the powershell cmdlet for adding(creating) a new user in the same tenant. Basically this is the workflow that i want to automate:
On the Azure portal. i go to the tenant and then click on Add user
When i click on Add User it asks me to provide Type of User where i choose User in another Microsoft Azure AD directory.
Is there a way to programatically do this using some code in powershell or C# or some other microsoft stack?
Basically i want to achieve automation for steps mentioned in this link: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/
No, this is not directly supported. One way to add "O365 Management APIs" application and then use office.com admin portal to import users from a csv file. But this only works if the users on the same tenant.
We're attempting to build an intranet web application, and we'd like users to be able to just use their domain credentials to sign into our web site and be automatically registered. All the sample code I've seen with Identity shows users going through a registration page on an AccountController, and the UserManager is used to create the user there.
Since we're requiring authentication on all pages, the user is currently just redirected to the domain sign-in (we're currently using an Azure Active Domain), and then returned to our page. It looks like the default behavior of Identity is to not create a User in the application database when this happens, so we wind up with an authenticated Identity and no corresponding User object in our database. Is there a good place to hook into to create this user? What's the best way to create the user? And how does the UserLogin table play into this, I assume it's used somehow to match a ClaimsPrincipal with the application database User?
We're using MVC 5, Entity Framework 6, and WIF 2
When you use Azure Active Directory (Organizational Accounts), the active directory is your user database. Unless you add it specifically, there won't be an AspNetUserLogins table like you get when you configure your application for authentication using Individual Accounts.
I'm making an assumption that you want to create some kind of user table so that you can store user profile data and/or some authorization claims for each user. You can still do this. For example, you may create a table in a SQL Database (or whatever database you want) to store user profile records in. A good extensibility point in your code for this kind of thing is to derive a class from the ClaimsAuthenticationManager and override the Authenticate method. In here, you can inspect the claims for the incoming authenticated user, look up additional profile claims you've stored for the user in your database table, and then add those claims to the claim set for the ClaimsPrincipal. One of the claims you will get from Azure AD in the incoming principal object is an objectidentifier. This would be a good key for your user profile table so you can correctly identify a user on subsequent logins.
An alternative to the user profile table approach I just described that you may want to look into is the ability to extend the Azure AD schema using Graph API. I've not personally tried this technique yet. It's also still in preview. But, the general idea is you can register an extension for your intranet application that would include the additional properties for each user.
The client I work for at the moment wants to use their Active Directory logins with single sign-on when connecting from a domain computer. I have however no experience with Windows Authentication.
The problem however is, that I need to reference the users in the database. Also, the users already should be in the database even if they haven't logged on yet. (Guessing I'm syncing with active directory with LDAP every night??) The reason for that is that other users should be able to assign the user to specific tasks.
See the following basic diagram:
My question is:
Should I use a MemberShipProvider or just extend IPrincipal?
Am I thinking the right way by syncing every night?
How can I prevent the user data is fetched from the database every request?
Use membership provider to connect to LDAP for you, then authenticate with the ValidateUser method in the provider.