I am trying to test multi tenant Azure authentication to an application, which only works with Azure Work accounts (B2B users cannot sign in to Tenant using v2.0 endpoint & MSAL Auth flow).
Without asking our Azure AD admin to consent my testing application, what other options I have to use Work accounts ?
How hard is to create custom organization where I could test it ?
thank you
Only when the tenant administrator agrees to your multi-tenant application to access its tenant, you can use that tenant's users to test your application.
This is how multi-tenant applications work and this is the process that meets security.
You can create an Azure free account for testing purpose.
Related
I have a multi tenant enterprise app. It authorises a few graph API permissions when installed and has SAML SSO configured. The whole idea is that my customers can install this and in one process grant my application access to their tenant, and setup SSO for that customers users.
The graph API permissions work totally as expected, I get the needed access to the tenants who installed the app.
Then there is the SAML SSO part. That's just totally not working. In my test tenant where I installed my app, it says that the app has SAML SSO and that it is only application owner who can configure - all fine.
I then try to log in (to the web app using this SSO configuration) with a user from my test tenant - no luck!
First I thought that it had to do with the user not being assigned the app, but it complains the the application in tenant A is not available for user in my test tenant and the user should be added to tenant A. That of course is not a solution since I want to use this for customers.
So right now I am stuck with 2 app's. One gallery app for SAML SSO and my app granting API permissions. It works, but it just seems SO stupid. Isn't there a better way?
Azure AD SAML applications are not intended to be multi-tenant, this is why you need to invite external users as guests.
It's worth to mention it's possible for an Azure AD app to support both OIDC/OAuth2 and SAML and thus rely on the same session cookie to obtain an access token for MS Graph.
If you need multi-tenancy, you should use modern protocols such as OpenID Connect for authentication and OAuth2 for authorization. MS Graph relies on JWT access token anyways.
We are working on integrating our app with MS Teams using a Teams app with a bot and a tab and we are struggling with the authentication.
Our scenario is:
We use Azure AD B2C for authentication to our app (using predefined user flows).
We have different customers that use Azure AD (each one with its own Azure AD tenant). We created a custom identity provider that enables sign-in/sign up users to our app using their own Azure AD credentials.
We created a bot channel registration using a "Generic Oauth 2" service provider to connect to our bot with Azure AD B2C.
Our challenges are:
Ideally, we want to implement SSO for our bot in Teams to allow our customers to be able to sign in to our app using their MS Teams credentials. We managed to authenticate using OAuthPrompt for Teams following this sample but the challenge we've seen is that the user needs to sign in every time that opens the bot (i.e. there refresh token is not working) and also we are not able to send a "domain_hint" query string to differentiate our customers.
Ideally, we want the authentication to be handled using only one bot channel registration
Probably it could be achieved by creating one channel registration for each customer but in the long-term, we'd need to create one bot for each customer and that could be difficult to maintain/avoiding our customers installing an App Registration on their Azure AD.
Anyone had similar experiences dealing with MS Teams apps for multiple Azure AD tenants using Azure AD B2C? How's the best way you recommend to handle this scenario?
Your help would be appreciated!
Thanks in advance!
If it helps to someone, after some research, we are doing the following for our scenario:
For the SSO in the tabs, given the limitation of OAuthPrompt to don't refresh tokens (we don't want users to sign in every time the token expires) we are following this solution posted months ago https://github.com/igrep/example-teams-bot-with-ms-account-refresh-token.
For handling multiple Azure AD tenants within B2C, given that we are using predefined user flows and we need to build a custom sign-in for our scenario, we are going to pass the get and pass the domain_hint from MS Teams to Azure AD B2C.
To implement SSO, please go through Add single sign on to a bot and also you can refer the code base in Expert Finder app template and it has implemented the same bot sign-in functionality and it is working fine.
Could you please take a look at multiple Azure AD tenants using Azure AD B2C for configuring multi tenant AD B2C.
Hello Everyone,
I have an Azure AD application with MS Graph's authorizations for get users or calendars.
And i have a B2C tenant with an application and a user flow. the B2C authentification working well in my blazor app, but my B2C Application haven't access at MS Graph's authorizations from my AD Application.
I have trying to make custom scope and declare it in my B2C app or use API connector but nothing work.
I give you screenshots of my AD application and my B2C application:
My AD Application :
API Exposed
API Authorization
If you have a solution or an idea to test...
Thank you in advance..
(Moving from Comments to Answer)
The two screenshots you provided are from AD, and AD tenants and B2C tenants are different. You cannot use applications in the b2c tenant to access resources in the AD tenant.
In addition, for Azure AD b2c applications, it cannot use MS Graph, but can only use AAD Graph, see: here and here.
I am looking for an option to securely Authenticate the users for a client-facing Web/Mobile app(hosted in Azure App Service) using Azure Active Directory, where users should be flexible enough to sign-in using either Mobile, Email, Username or even from Social Identity Providers. Moreover, we want controls in UI with all the customization. Could you please suggest me which Identity Management System should I go with?
For the scenario where you want to log in with flexible enough to sign-in using either Mobile, Email, Username or even from Social Identity Providers then the best and only option would be using Azure AD B2C .
I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.
I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.
The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.
I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?
Do I need to use a federation application as a middle-man such as Ping Identity?
Thanks for any help!
Using e.g. Ping as an IDP generally won't help because Azure AD is already an IDP.
Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.
And you can only sign-in with an email address because it's designed for domain-joined corporate customers.
You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.
You could then federate Azure AD and Azure AD B2C.
Your other option is to use an IDP that does allow authentication via an API e.g. Auth0.
Then you could have a custom login page that authenticates as appropriate.
Using Ping ID and other similar products is the fastest way to utilize SSO.