Is it possible to use Azure AD and Core Identity Roles together? Basically the user will log into the App using AD, which I have that done already. But as they use the app, thier roles will be based on the AspNetRoles and AspNetUsersRoles tables. I was thinking that I would have to use the ClaimsPrincipal factory to extend the claims object that is created when the user logs in.
By using the ASP.NET identity you can manage the user locally in your database, and user Azure AD as external identity provider which enable the AAD accounts to login in your application. You can identify the user and link it to the user in your local database. You can then also manage the roles with your local users and Azure AD users.
Read more here.
Create a new application with Individual User Accounts.
Install this package : Microsoft.AspNetCore.Authentication.AzureAD.UI
services.AddDbContext(options => options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection"))); services.AddDefaultIdentity() .AddEntityFrameworkStores();
services.AddAuthentication(sharedOptions => }).AddAzureAD(options =>
Configuration.Bind("AzureAd", options)).AddCookie();
Update appsettings.json "AzureAd": { "Instance": "https://login.microsoftonline.com/",
"Domain": "xxx.onmicrosoft.com", "TenantId": "xxxxxx-xxxxx-4f08-b544-b1eb456f228d",
"ClientId": "xxxxx-xxxxx-4717-9821-e4f718fbece4", "CallbackPath": "/signin-oidc",
"CookieSchemeName": "Identity.External" },
It depends on the user to choose login with local authentication or Azure AD Authentication.
Related
I need to know if there is a possibility to get all Azure AD users using PowerApps or not.
You cannot get all Azure Ad users using PowerApps, whereas you can list the details of a single user or users within a group.
Make use of Azure Ad connector that needs administrative permissions for your account like below:
Group.ReadWrite.All
User.ReadWrite.All
Directory.ReadWrite.All
Connect Azure AD in the app,
Go to the Data tab -> Add data-> Search Azure AD -> Select Azure Ad connector -> Connect
To get users within a group, make use of below query:
Users= AzureAD.GetGroupMembers("Your_Group_ID").value
To get details of a User, make use of below query:
OnSelect = ClearCollect( colAzureUserDetails, AzureAD.GetUser(txtAzureID.Text) )
To know more details, please refer below links:
Power Apps Azure AD Group - SPGuides
Power Apps : Get users from Azure AD to Power Apps view to list table and refresh button for table - Stack Overflow
We implemented SSO on Snowflake and with SCIM, we're able to provision users in Snowflake
Now, I want it to work like SQL Server authentication where I can add users to the same AD group and create a single login on SQL Server for this AD group. To revoke login permissions I just remove the user from the AD group. To give a new person access I just add them to it.
I would like also to map a role to a group, so, for instance, if I could link an Azure AD Group to a Snowflake Role [Read-Only User for Database X], as soon as I'm adding a user Y in Azure AD Group, this user Y will have automatically read-only access to Database X
Is it possible ?
Regards,
This same concept is possible in Snowflake as well with SAML SSO (for authorization) and SCIM (to sync users and their corresponding roles to SF). The details for this are here:
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-idp.html
https://community.snowflake.com/s/article/HOW-TO-Setup-SSO-with-Azure-AD-and-the-Snowflake-New-URL-Format-or-Privatelink
https://docs.snowflake.com/en/user-guide/scim-azure.html
Both these together will ensure that the user created on Azure AD will be possible to login with the AAD credentials and the SCIM will ensure that the relevant role management is on the AAD side which is reflected exactly as-is on the SF side.
I have setup Single-Sign on (SSO) using keycloak and saml/OpenID broking between a web application (using Kibana for testing) and IDP Azure AD.
Created few users and groups in Azure AD. Also configured attribute mapping to map the user/group roles from Azure AD to keycloak by following the below link,
https://keycloak.discourse.group/t/getting-groups-from-azure-active-directory-idp/590
I need to map the same user/groups roles to Kibana application as well. My requirement is while a user logs into Kibana using the Azure AD - Keycloak Single-Sign On authentication, he should be able to login using the same Azure AD user/group privileges, So there is no need to create separate user/group roles in Kibana.
Is it possible to configure it? Please suggest.
What you are looking for is group claim.
For group claim, you could add the users into different security Groups and include Groups claim in your token. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["{group id}"]
}
App role can implement the same thing for you.
I am using microsoft graph api to access groups in azure active directory, I have created 2 groups in AAD named OIC and other named as testing
When I test using microsoft graph explorer, URL that I use
GET https://graph.microsoft.com/v1.0/groups
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"value": []
}
Why do I get empty value for groups even though I have groups in AAD.
I have logged in as admin user.
It seems that you have created groups in a tenant which is not your home tenant.
It means credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. It retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.
The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of common. This isn't supported by Explorer. You'd have to download the source an reengineer the auth process.
Reference SO thread: https://stackoverflow.com/questions/53341544/how-can-i-change-default-tenant-in-microsoft-graph-explorer#:~:text=If%20you%20want%20to%20sign,use%20tenant%20query%20string%20parameter.&text=A%20simple%20url%20to%20go,or%20tenantId%2C%20both%20work).
In recent months, we've managed to integrate our existing Identity Server 3 with AAD B2C. It's of course registered as a Custom Identity Provider by following this instructions. And everything works fine when it comes to authentication itself. All users from our existing database (which is behind our Identity Server 3) are able to sign-in with AAD B2C without any problem. And as you can guess all of them, once they sign-in for a first time, become Azure Active Directory (B2C Tenant) users as well.
But, we've just recently also noticed that none of them has correct User Name and Source values in the list of users in our AAD B2C Tenant (see picture).
Does anybody have any idea what we might be missing on either Identity Server or Azure AD B2C side (or both) and what could be a possible reason for not-populating these values?
When a User object for an external identity (e.g. an IdentityServer-managed identity) is created in the Azure AD B2C directory, it is created as follows:
{
"accountEnabled": false,
"creationType": null,
...
"userIdentities": [
{
"issuer": "...",
"issuerUserId": "..."
}
]
}
where the UserIdentity object is set as follows:
The issuer property is set to the string representation of the external identity provider that issued the user identifier, such as https://myidentityserver3.azurewebsites.net/identity.
The issuerUserId property is set to the Base64 representation of the user identifier that is issued by the external identity provider.
When the All Users menu is opened in the Azure AD B2C portal, then these external users are listed with the issuer value in the User Name column and "Unknown" in the Source column.