I am learning about Azure AD and Office 365 and I am wondering if the following is possible and if so, how to go about doing it since I am confused on a few aspects with documentation:
Say a company, CompanyA, has Office 365 for users of their org. These users use Exchange/Outlook and Office to sign in (Office desktop) using their Office 365 creds.
CompanyA has Active Directory hosted internally but they are planning to use Azure AD Connect Sync to sync all objects in AD into the Azure AD so things like password changes are synced (and user objects) between the cloud and internal network.
Is there a way to use their Office 365 creds to log into their network systems and sync to AD or perhaps link the Azure AD to their Office 365 accounts so they can log into the computers using their Office 365 creds?
Question 2 is below (the real question I had!):
Now, there will be a custom app hosted both internally but also externally (possibly in the Azure cloud). The app could be a desktop app or a web app or some service.
Is there a way for the apps to authenticate against Azure AD/Office 365 to ensure that the user logging in (using their Office 365 creds) is successful? Is there an automated way without a popup dialog so everything is done programmatically via the API's using C#/.NET Framework?
Thanks!
When you reference Office 365 credentials you are already talking about Azure AD. Every Office 365 tenant has an Azure AD instance backing that is the store for user accounts and credentials. Please sees the following article for a detailed description:
https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
You are currently the model referred to as Cloud identity. It sounds like you want move to Synchronized identity or Federated identity.
If you configure your Azure AD Connect installation to synchronize to your Office 365 tenant (by giving it a Global Admin from the tenant during setup) then you will effectively have the setup you want with premise ADDS credentials synchronized with your Office 365 (Azure AD) credentials.
However, since there is an existing tenant with accounts that you want to match with on-premse accounts, you will need to communicate this with your users in advance and also read up on how the soft matching works when synchronizing to an Azure AD with existing accounts.
This KB article should get your started: https://support.microsoft.com/en-us/kb/2641663
If done properly, the end result will be as follows:
User accounts and password changes are managed from your on-premise AD.
Password changes happen on premise and are synchronized with your Azure AD accounts that are matched to premise accounts
You will not be able change passwords from Office 365 and have those changes reflected on-premise unless you enable Password Write-back which requires a an Azure AD Premium subscription.
Users will login to domain resources using their AD credentials, which match their Office 365 credentials in Azure AD
At this point you will have moved to Synchronized identity. This is required to take the next step to Federated identity so you will want to get to this stage either way. I would not take the next step to federated until you fully understand the implications of that model.
Regarding part 2 of your question, there are multiple libraries that can add authentication to Azure AD to your custom applications. This page has a list of libraries by language:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-libraries
Related
I have a webApplication (webforms) in my domain, authenticated through Active Directory, now I want in a determinate action in a form ask for a second authentication method like Microsoft MFA. ¿Is this possible?.
My active directory is syncronized with Azure AD (because Office 365).
Thanks for you help.
Your on-premises Active Directory is synchronized with Azure AD. For all the directly cloud only apps you will avail MFA directly either by CA policies or enabling at the user level.
In order to have MFA for on-premises application you can configure Azure Application Proxy with AAD Pre-authentication and implement MFA via Azure MFA service. You can also leverage Conditional Access , Azure MFA and Azure AD Identity protection for this purpose as well.
I would recommend you to go through this two links in order to get more detail about Azure AD application proxy.
I've a web application where i have used office 365 login (for sharepoint) to authenticate the user and then redirect to my web application.
Now i want to access the logged in office 365 user's calendar and add events, get list of calendars etc.. I've looked into office 365 API but it uses OAuth2 authentication which i don't want to go for.
So i went for ExchangeService API but it needs the NetworkCredentials of the user, which means i have to add the username and password for each user, which is not possible.
Is there any way i can use the logged in office 365 user's details and access the calendars and events?
The best way to access Office365 resources like mailboxes, calendars, contacts etc. is by using Microsoft Graph.
There are many SDK and code samples to start developing with Graph API. Here is a guide for ASP.NET MVC app.
I did not found an answer for such specific question.
I have checked:
https://graph.microsoft.io/en-us/docs
I have also found the thread below, but it was not useful:
Microsoft Graph does not work with ADFS?
I would like to know how to get ADFS and Microsoft working together in a .NET MVC app. I did not found anything for that in https://graph.microsoft.io/en-us/code-samples-and-sdks
Thanks.
Per the other thread you reference - Office365/Azure AD can be federated with ADFS (using AD Connect or Azure AD PowerShell for example). Once this is in place, an app can use AAD to sign users in (using their corporate creds), and acquire access tokens to Microsoft Graph to access the signed-in user's cloud data (after consent is provided by the user).
We also support a preview of "hybrid deployments" which allows an app to be written once against Microsoft Graph, but can access a user's Outlook data whether the user's mailbox is hosted in Office365, outlook.com (personal email) or in an on-premises Exchange mailbox.
If this is the information you are looking for, please update your question to be more specific about your scenario, so that we can provide more help.
I have to get list of video channels and videos details from office 365.
I referred to this link
But, What I want to achieve is, that a user will login to the site using windows authentication.
var onlineCredentials = new SharePointOnlineCredentials(username,password);
ClientContext context_new =
new ClientContext("https://xxx.sharepoint.com//portals/hub/_api/VideoService/Channels");
context_new.Credentials = onlineCredentials;`
The above code I have used to get a list from SharePoint.
Is it possible to use above method to authenticate office 365, to get details about Video Channels and Videos.
Or
Should I use an accesstoken?
Video portal is only available with Office 365 and in office 365 authentication can be done only with Azure AD. I assume you will have your organization AD getting Synched with Azure AD of Office 365.
If i understand your requirement correct, you want to have a stand alone Web App which needs to get the details from Office 365 Video Portal. For this probably you'll have to register your app to Azure AD to get access of the Video Portal REST APIs. Following is the link.
https://msdn.microsoft.com/en-us/office/office365/howto/add-common-consent-manually
However, for the above approach, users will have to login with Azure AD only. If you want to use windows credentials, probably what you can do is you can use a middle layer of WebAPI which is registered with Azure AD. Again Web Api would also have to get Application Delegation Permissions so that any user can get access of video portal(doesn't sound like a great approach but is possible).
I want to get an access to Calendar rest API. I've created azure multi-tenant app, and configured it.
I'm trying to get an access token to resource "https://outlook.office365.com/", but I get an error
'AADSTS50001: Resource 'https://outlook.office365.com/' is disabled.'
Note: I couldn't find "Office 365 Exchange Online" inside "Permissions to other applications" section inside azure account.
Your help please.
You won't see Exchange in your Azure account unless you have an Office 365 subscription that includes Exchange. It sounds like you're registering in https://manage.windowsazure.com? You might want to try registering your app in https://apps.dev.microsoft.com and using the v2 Azure auth flow. Big benefit is you can register apps with just a Microsoft account (like outlook.com, etc) See https://dev.outlook.com/RestGettingStarted for walkthroughs.