We are working on integrating our app with MS Teams using a Teams app with a bot and a tab and we are struggling with the authentication.
Our scenario is:
We use Azure AD B2C for authentication to our app (using predefined user flows).
We have different customers that use Azure AD (each one with its own Azure AD tenant). We created a custom identity provider that enables sign-in/sign up users to our app using their own Azure AD credentials.
We created a bot channel registration using a "Generic Oauth 2" service provider to connect to our bot with Azure AD B2C.
Our challenges are:
Ideally, we want to implement SSO for our bot in Teams to allow our customers to be able to sign in to our app using their MS Teams credentials. We managed to authenticate using OAuthPrompt for Teams following this sample but the challenge we've seen is that the user needs to sign in every time that opens the bot (i.e. there refresh token is not working) and also we are not able to send a "domain_hint" query string to differentiate our customers.
Ideally, we want the authentication to be handled using only one bot channel registration
Probably it could be achieved by creating one channel registration for each customer but in the long-term, we'd need to create one bot for each customer and that could be difficult to maintain/avoiding our customers installing an App Registration on their Azure AD.
Anyone had similar experiences dealing with MS Teams apps for multiple Azure AD tenants using Azure AD B2C? How's the best way you recommend to handle this scenario?
Your help would be appreciated!
Thanks in advance!
If it helps to someone, after some research, we are doing the following for our scenario:
For the SSO in the tabs, given the limitation of OAuthPrompt to don't refresh tokens (we don't want users to sign in every time the token expires) we are following this solution posted months ago https://github.com/igrep/example-teams-bot-with-ms-account-refresh-token.
For handling multiple Azure AD tenants within B2C, given that we are using predefined user flows and we need to build a custom sign-in for our scenario, we are going to pass the get and pass the domain_hint from MS Teams to Azure AD B2C.
To implement SSO, please go through Add single sign on to a bot and also you can refer the code base in Expert Finder app template and it has implemented the same bot sign-in functionality and it is working fine.
Could you please take a look at multiple Azure AD tenants using Azure AD B2C for configuring multi tenant AD B2C.
Related
I have been able to set up Azure AD Authentication with Auth0. According to my research, Azure AD is similar to AWS Cognito and Firebase. So can we use Azure AD to handle flows like User Creation, Password Reset, Expire Password etc. from a NodeJS Admin Backend?
Azure Ad is microsoft's identity platform. while yes in some ways is similar to aws cognito, it is a bit different as well. it's not designed specifically for developers, it's designed as an identity platform for your organization.
to answer your second question, it really depends on what you are expecting it to do. For example, there is an api, called graph api, which lets you interact and do almost everything you want to azure ad through that api. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api create users, groups etcetc. but if you are looking for user signup using their own emails and that sort of thing, the closest thing you should be looking at is Azure Ad B2C.
Azure B2c Takes care of some of the more common scenarios like signups and such
https://azure.microsoft.com/en-us/services/active-directory/external-identities/b2c/
I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.
I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.
The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.
I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?
Do I need to use a federation application as a middle-man such as Ping Identity?
Thanks for any help!
Using e.g. Ping as an IDP generally won't help because Azure AD is already an IDP.
Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.
And you can only sign-in with an email address because it's designed for domain-joined corporate customers.
You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.
You could then federate Azure AD and Azure AD B2C.
Your other option is to use an IDP that does allow authentication via an API e.g. Auth0.
Then you could have a custom login page that authenticates as appropriate.
Using Ping ID and other similar products is the fastest way to utilize SSO.
Every documentation or tutorial I follow on how to programatically access Outlook's API seems to point to the same pattern:
Application redirects user to Azure so he can authorize (OAuth) the app access to his account's data.
Every time Azure Active Directory is mentioned as a cloud-based credential/access manager.
I'm having a hard time to understand why exactly AD is even needed. And even if it is, that means that should a company desire to integrate an application with the employees calendars, for example, they would need to have an AD just for authentication purposes? Does this make sense if I want to publish an application on Azure for any kind of customer?
Every Office 365 customer has an Azure AD for authentication. If you want to get at users contacts in O365 you have to authenticate using Azure AD.
If you want to get at contacts in Outlook.com, Microsoft provides the same authentication flow for Microsoft Accounts (MSA) that Outlook.com uses.
This means you can use the same authentication flow and call the Microsoft Graph to get contacts no matter if they are an Office 365 user or an Outlook.com user. Your app does the same auth flow and makes the same calls.
I am working on an ASP.Net MVC application which will handle two types of users
External Users (Need to authenticate using Azure B2C with username as login instead of email as login)
Internal Users (which already exist in Corporate Azure AD)
What is the right way of implementing it?
One option is to run two separate instances of the application configured against each IDP. Keep each type of user stick to one app instance.
I tried to register AD and AD B2C in one app by registering two OpenIdConnect services but having problems when the user tries to access a resource without first logging into the application. Without knowing the type of the user I cannot specify AuthenticationSchema in the Authorize tag.
I am sure people have done this before so if you someone who knows how to do it, then please guide me..
I want to do some automated tests of a web app (web api) in Azure that is secured with AAD. The customer is using on-premises AD to synch users and groups to AAD and is using ADFS to authenticate the users. This is enough, I believe, to stop me from using UserPasswordCredential to programmatically sign in a test user. So I have asked the customer to create me some cloud-only users that will be used in the automated tests. But we can’t add these users to the AAD groups, presumably because they are synched back to on-premises AD.
The web app is designed to check if its users are in a particular AAD group, but my test users can’t be in that group, so we may have to modify the app to check for multiple groups instead, and put the cloud-only tests users into a cloud-only group, so that we can add the cloud-only group to the list of groups allowed to call the web app.
Is this the best approach, or am I missing a better solution?
UsernamePasswordCredential is meant to work with ADFS via federated tenant, as long as the proper endpoint is enabled in ADFS.