I am currently developping an ASP.NET web application in which the client can create, update or delete employee. My application is a saas application used by several clients in the world and I would like to add the following feature.
Once connected to my application, the client will have access to a form, where he can create an employee (name, surname, adress ...) and click on a button which will send those informations to the client active directory (for example azure active directory) and creates this user in the client's Active Directory.
To have a maximum compatibility with all the types of Active Directory used by my clients, I am looking for a "protocol" (dont know if its the right term) able to communicate (crud operations on user) with any cloud Active Directory.
I have done some researchs on internet, and I found the SCIM protocol, but this one cannot create user in azure Active Directory (https://social.msdn.microsoft.com/Forums/en-US/bfdf8d61-62d4-4238-b2bb-020e383cf854/does-azure-ad-support-crud-operations-on-users-using-scim?forum=WindowsAzureAD).
Thanks in advance for your help
Based on the description, it seems you want to implement a feature that other users when are sign-in your web application could manager the users from their Azure active directory.
If you I understood correctly, you can leverage the Microsoft Graph in the web application. And integrate Azure AD for the authentication to develop an multi-tenant application.
In this scenario, the other users who are the admin of their tenant can sign-in the web app with Azure AD account and give the consent to the app for managing the accounts for their tenants.
Here is an example that calling the Azure AD Graph from the web app for your reference:
active-directory-dotnet-graphapi-web
Related
I am setting up a WebAPI that needs to collect events from a calendar, located in sharepoint. The WebAPI is registered i Azure Portal and does not support user login. Can i restrict the application to only that one calendar, or only have access to a specific users calendars?
This is what i currently have.
A WebAPI ( .Net Core 2.1 )
Azure AD with a bunch of users
Registered in Azure Portal, with Application "Calendars.Read" permissions
Using TenantID/ClientID/ClientSecret when authentication the app, and have not user login for the webserver, and would prefer not to have user login if possible.
As of now, i can pull the events with Microsoft graph by using something like:
https://graph.microsoft.com/v1.0/sites/root/lists/4bddc7ee-xyz-xyz-83cc-/blablabla
The problem is that i have access to all users calendars, and i need to restrict the app to only have access to that specific calendar.
I have seen several similar questions like this, the answer is No, Microsoft Graph does not support that currently.
I have access to my Azure AD Portal. I also have an external ASP.NET application which is accessing the Microsoft Graph API. For this purpose I add an App Registration which give me an Application ID and Key to be able to configure my ASP.NET application to authenticate itself against the Graph API.
I need the my ASP.NET application to read groups out of Azure AD. I can authenticate successfully but I get an error saying that I have not enough privileges. Then I go back to the Azure Ad Portal and add permissions to the App Registration I added. This works ok so in the end I have the Graph API response on my ASP.NET application.
Now it comes the issue. I selected too many permissions so I want to use the smallest set of permissions that are necessary for my ASP. So I go the Azure Portal AD again and remove some of the permissions. When I test my app again, I still receive the groups even if I have no permissions selected.
I think this is an issue. Or there's some kind of delay? I don't think so because when the API is working and has the proper permissions I can add a group in Azure AD Portal and instantly see it in my ASP.NET application.
This issue is specially annoying because you can't really test the permissions your app needs.
Thanks.
I have enabled multi tenant access to my app in azure portal and now i'm able to access my app from other active directory users.I mean multi tenant access is working.
I enabled multi tenant access to my app like as shown in image:
But now i need to restrict some user from other tenants.
I tried so many articles but i didn't get correct result
I followed this article but here i didn't get how to add users to the Tenant restrictions
in this url
Any answer appreciated
Thanks in Advance......!
AAD Enables you, as an Administrator of a Tenant, to control which applications users in your tenant are able to access.
However, it does not enable you, as a Multi-Tenant App Developer, to control what kinds of tenants or users can authenticate to your app. Instead, you must build that logic into your application, using details from the Graph API to learn about the logged in user, which tenant they are from, what groups they are a part of, etc...
Microsoft Graph Overview
So I'm developing a web application that allows users to view their SQL reporting services reports externally, and users log in with a custom username the user created themselves.
I would like to authenticate these usernames against their windows domain accounts, which a check against the active directory to see if the user is in a relevant group and that will determine the access rights to certain reports.
Now I can't use windows authentication as a login procedure to my web application but I do have a SQL table which stores their custom username (which they log in with) mapped against their windows domain account, and on login I store the domain name into the session (stores the windows account credentials as a string) as a property which is exposed by my base controller.
I've already gone off and tried this solution,
http://www.benramey.com/2014/10/20/active-directory-authentication-in-asp-net-mvc-5-with-forms-authentication-and-group-based-authorization/
but as you can see from my previous post (see here Trying to authenticate users against the AD - ASP.NET MVC) i'm not getting the desired result.
Just looking for some advice on how I can achieve authenticating against the AD with my scenario.
I'm developing an app using ASP.NET WebAPI 2.2 that requires login via Azure AD for which I'm using ADAL/OWIN, but the app must have app specific permissions and roles that can be assigned to users who log in to it (a bit like SharePoint groups). The client can't use Azure AD groups, claims or Azure app permissions to assign rights/create groups as it is set up/maintained by a third party.
So, if the app is authenticating users against Azure AD, am I able to use the SQLRoleProvider to create/maintain a permission set and assign them to users within the app? I've searched for a while and not found anything that exactly fits my use scenario. Currently I'm thinking I may have to roll my own role provider.
EDITED for clarity.
You can use the custom role provider in Azure AD. When used, each user is given a role (or rather, place in a role) at the time the user is granted access to the application. I used this blog post to get started when creating a simple role-based mvc app for a customer:
Azure Active Directory, now with Group Claims and Application Roles.
We used this to separate between regular and admin users of an application we built.