My Azure Active Directory have 2 directories:
User1Directory
User2Directory
My app configured with User1Directory and I successfully logged in using User1Directory users, but I want login using User2Directory.
Okay so you have 2 Azure AD tenants (directories).
If you want to allow sign in from multiple tenants, you need to make your app multi-tenant.
Then you have a couple options for how you can handle authentication.
Your app will regardless have to check the issuer of tokens as changing an app to multi-tenant allows login with any tenant.
You probably want to check the issuer is one of those 2 tenants.
Your app could offer two login buttons, one which redirects to https://login.microsoftonline.com/tenant1-id/... and the other to https://login.microsoftonline.com/tenant2-id/....
This approach supports external guest users in those tenants as well.
The other approach is that you can instead always redirect users to authenticate with https://login.microsoftonline.com/organizations/....
This will allow the user to sign in with any Azure AD tenant.
It's simpler from your app's side but it does prevent external guest users in those tenants from signing in as the organizations endpoint (like the common endpoint) always logs the user in to their "home" tenant, making the issuer that home tenant.
Related
I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!
The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.
Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.
I have included SSO (SAML) authorization in my existing application. But for me it was an unpleasant surprise to find that only 2 types of users can use the login through the providers I added (Okta, Azure AD):
Users who are located in the corporate directory of the provider (for example, I made an application on my account, there are no more
users. This means that any other user will not be able to use the
login form, because he is not a member of my tenant)
Third-party users of companies, whose administrators have added a
template of my application from the general list and connected their
users to it.
I expected other results, I need ANY user to be able to log in through these providers (regardless of whether he is in the corporate directory or has his own separate account that is not integrated into my application)
I thought about changing the SAML protocol to OIDC (OpenID Connect), but it seems to me that everything will work in the same way (at least Azure AD, because it seems there are no other options for working with it, except for corporate distribution)
Who had a similar experience, could you tell me what I should use among technologies and protocols so that ABSOLUTELY ANY user can log into my application through Okta / Azure AD / Google? Thanks!
Azure AD login fail screen
Okta login fail screen
You can use Azure AD OAuth2 flows and multitenant apps with MSA (personal account) support to allow any user from any domains and personal accounts to login into your application. Or you can switch to Azure AD B2C (which also relies on OAuth2) to connect different identity providers (Local Azure B2C, Azure AD, Facebook, Google, Amazon, Github, Linked in, Twitter, generics, etc) and allow all their users to login into your application.
I was able to register an app created by another tenant as an enterprise app of my own tenant.
I signed in to the app as a user, but I got the following error.
AADSTS50020: User account 'test001#testdomain001.onmicrosoft.com' from identity provider 'https://sts.windows.net/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/' does not exist in tenant 'testdomain002' and cannot access the application '55555555-6666-7777-8888-999999999999'(OneDriveAPIBrowser_test001) in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
How can a user of another tenant use it without the application creator tenant performing any processing?
If the Azure AD app is registered in Tenant A and you have add it as an enterprise app into Tenant B, you should use a user from Tenant B to sign in.
In your case, if the registered app is in testdomain001 and added into testdomain002, you need to use a user from testdomain002. User "test001#testdomain001.onmicrosoft.com" is not allowed to sign in to the app in testdomain002 unless it is a guest user of testdomain002.
I tried the steps below and it worked for me.
Go to azure.microsoft.com
Select Free Account.
Sign in with your email.
It will detect that you already have a subscription and give you the option to use it.
I'm creating a MVC core app that uses Azure Active Directory (AAD) as user storage.
I can create users manually in the AAD Users dashboard screen and invite external users without problems. They can also login into the app without issues.
Uninvited external users can also login to the app when agreeing with the consent screen which is what i want.My question however is how can i keep track of those users in AAD? They are not listed in the Users dashboard as external users nor are they logged in the 'Sign-ins' log screen.
Is there some option that i need to enable?
Since you want to use external users in your application, I would suggest that you use the Azure AD B2C solution: https://learn.microsoft.com/en-us/azure/active-directory-b2c/technical-overview
This will create a new B2C tenant from which you can track users that have integrated and logged in your application.
Check the consumer accounts section to see if this matched your needs:
Consumer accounts
With a consumer account, users can sign in to the applications that you've secured with Azure AD B2C. Users with consumer accounts can't, however, access Azure resources, for example the Azure portal.
I have a nodejs webapp with login, signup pages (text fields to enter username, passwd and "Login" button). Other pages in the UI and Backend APIs should be accessible only to authenticated users.
What options do i have if i want to authenticate users using Azure AD (Clicking the "Login" button on the UI should authenticate against Azure AD)? Would the flow be different If i want to authenticate both internal (associates with AD credentials) and external users (end customers not in our AD)
TIA.
What options do i have if i want to authenticate users using Azure AD
(Clicking the "Login" button on the UI should authenticate against
Azure AD)?
In the B2C, you could use the direct sign-in by the username or the identity provider.
Would the flow be different If i want to authenticate both internal
(associates with AD credentials) and external users (end customers not
in our AD)
There is no difference. If you don't set up direct sign-in, all the user will see the first page for the user to choose the provider, and then will redirect to the related provider login page.
You have to create a B2C directory and create a web app there, then you can create Signin or Sign Up Policy. Once you are able to create that, open it and select the web app you have created and a redirect url to which you want your user to redirect to afetr successful login. Now hit the Run Now button at the bottom of the policy page. You should see a login page. If you are using it for the 1st time, you have to sign up otherwise you can signin directly. That will do for you.
There is no diff if you are signing in a user who has the ad credentials or not. They still have to signup in the b2c directory for the 1st time as the user profile they have is for the Azure AD directory and not for Azure AD B2C.
There is one thing to consider in min, what type of Authentication you want to follow, OpenId or EasyAuth.
You can test these things out and that should solve your problem. If you still face any challenge, you can let me know here.