I have an angular-cli (v8) web application where I want users to be able to sign-in using their existing Azure AD account.
I came across the article explaining how to added authentication to an angular 8 application using Azure B2C and started to follow the step outlined in that article. https://about-azure.com/using-azure-ad-b2c-with-angular-8/
Azure AD is not on the list of authentication providers
Is is possible to add Azure AD as an authentication provider?
Technically my application is an Service Fabric application using .net core 3.1. I know that Visual Studio offers and "Add Connect Services" where one can choose Azure AD.
That does not work, because it configures authentication for a MVC application (options use.MVC) and I do not have an MVC application so it doesn't work (I have tried)
Is is possible to add Azure AD as an authentication provider?
Yes, you need to select New OpenID Connect provider and configure Azure AD as an identity provider.
Reference:
Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C
Related
We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.
Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.
What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?
Thanks for posting your query. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).
For Microsoft Social accounts Azure B2C would suit your requirement.
On Auth0 Admin Console:
Create a web application in Auth0
Copy the client ID and secret
Add a callback URL from your B2C tenant in given format: https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp
Copy the “OpenID Configuration” URI from advance setting.
On Azure B2C tenant:
Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
Input “OpenID Configuration” URI you copied in above step to Metadata URL.
Similarly add client ID and Client secret you copied from Auth0.
Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.
Thanks
I've gathered the following insights since posting my question
Summary
Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts"
See guide of different app types here
Details
Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from Mavric20
We use custom idp (identity server 3) to authenticate users on the system. Now I have a requirement to implement Azure AD authentication. I tried adding Azure AD as an external provider it is working fine on the browser, but on MS teams app, it is not working because the Microsoft teams app opens in an Iframe, on which azure Ad doesn't work.
I implemented Microsoft msal.js library to authenticate using Azure AD. I am able to authenticate and get the token on the frontend. But how can I pass that token to identity server 3 and authenticate user using my own identity server.
Did you have a look at these resources which seem to explain how to implement your setup:
https://learn.microsoft.com/en-us/microsoftteams/sign-in-teams
https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication
https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-tab-aad
https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/configure-identity-provider
if I understand your requirement correctly then you can try out the below solution:
User is authenticated using Azure Ad when he logs in to Teams App. Now you can send the logged in user's AD information (User Principal Name preferably) to your IS3 and authenticate from your end.
Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api
Using Azure Active Directory When i am applying single sign on for my web application i am able to do the Password-based single sign-on successfully.
But when i am doing with Integrated Windows Authentication(for kerberos authentication mainly), i am not able to configure it. i am very confused.
Can anybody guide me how to enable kerberos authentication for web application.
or please send me any example links how to set kerberos authentication for web applications.
Thanks!
If you are trying to use Azure AD with Kerberos for Windows Integrated Authentication there was a comment about AADConnect, which has some offerings, especially if you use ADFS for Federated sign-ins. There is also the Azure App Proxy with KCD support
I am developing an application which uses Azure AD as authentication provider.
Need to implement a two factor authentication for the application.
Is it possible to create our own provider and plugin into azure without using the one available with Azure AD.
As far as I know, the Azure AD doesn't support to use the third-party MFA authentication provider.
However we are also could build multi-factor authentication into custom apps with Azure AD. More detail about this you can refer this document.