I know that I have to create a service principal when I need an identity for an app that connects to Azure resources. But if someone asked me "Why not just create an AAD user and authenticate as that user?" I honestly couldn't answer besides "That's not how you do it.".
Can someone give me a proper explanation on why using an AAD service user instead of an app registration would be a bad idea?
Service principal is an application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service, or automation tool, when an organization is using Azure Active Directory
By using a Service Principal, we can avoid creating "fake users" (similar to service account in on-premises Active Directory) in Azure AD to manage authentication when you need to access Azure Resources
The Service Principals' access can be restricted by assigning Azure RBAC roles so that they can access the specific set of Azure resources only
So for better security purpose, we can use service principal instead of Azure AD User from an to authenticate and access Azure Resources.
Related
I am getting the below error message when my Application (A) is trying to access another application (B) which is hosted in a different Tenant. Both applications have been registered to support multi-tenant access (i.e Accounts in any identity provider or organizational directory (for authenticating users with user flows) within their respective tenant. The microsoft outlook account I am using is associated with both tenants. What am I missing?
'AADSTS650052: The app is trying to access a service 'xxx-xxxx-xxxx' that your organization 'xxx-xxx-xxx' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
In order for an application to authenticate with a tenant, a service principal representing it must exist in that tenant. For multi-tenant apps this is created when you go through authentication to that app on the target tenant. So you need to do a login against your app with the target tenant as the authority.
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
We have several apps which are built using .NET are running in VMS(on-prem)
All apps will be registered to Azure AD.
Can we use user managed identity to access key vault form these on-prem apps
Thanks in advance
No, you cannot use a Managed Identity from on-prem apps.
[...] a managed identity is a service principal of a special type that may only be used with Azure resources.
Source: What are managed identities for Azure resources?
To see a list of resources currently supported, see Services that support managed identities for Azure resources.
You can, however, use a Service Principal to connect to Key Vault from an application running on-premises.
To do so, Use the portal to create an Azure AD application and service principal that can access resources.
For Service Principals, authentication can be done in two different ways: password-based authentication (application secret) and certificate-based authentication. Using a certificate is recommended, but you can also create an application secret.
To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
If you cannot use managed identity, you instead register the application with your Azure AD tenant, as described on Quickstart: Register an application with the Azure identity platform. Registration also creates a second application object that identifies the app across all tenants.
Can one use ADFS/pass-through authentication to authenticate to Azure service (Portal) by on-premise AD without synchronizing user accounts? Can one assign RBAC for an on-premise user with Azure services?
For example, grant a VM contributor role to an on-premise user without sync all user information between on-premise AD and AAD.
You need to sync users to Azure AD. Password hashes do not need to be synced, you can use ADFS for login. But you do need to sync users so Azure AD knows what users exist.
We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.