Lets say i have an WEB API that i have developed and the web API is already protected by Azure AD using App registrations.
Now the Web API has some roles like Admin User and Manager.
I want to store these roles in Azure AD too and get an accesses token for Azure so in the JWT claim of the accesses token the role is present.
Any pointers if this is possible at all ?
You could add an appRole into your Azure AD app and assign users and groups to roles.
Then the users in the group will have the claim like below:
{
"roles": ["{the role you customized}"]
}
After that, the role will be included in the access token. And you can implement your authorization logic based on the roles of the user.
Related
I'm creating a MVC core app that uses Azure Active Directory (AAD) as user storage.
I can create users manually in the AAD Users dashboard screen and invite external users without problems. They can also login into the app without issues.
Uninvited external users can also login to the app when agreeing with the consent screen which is what i want.My question however is how can i keep track of those users in AAD? They are not listed in the Users dashboard as external users nor are they logged in the 'Sign-ins' log screen.
Is there some option that i need to enable?
Since you want to use external users in your application, I would suggest that you use the Azure AD B2C solution: https://learn.microsoft.com/en-us/azure/active-directory-b2c/technical-overview
This will create a new B2C tenant from which you can track users that have integrated and logged in your application.
Check the consumer accounts section to see if this matched your needs:
Consumer accounts
With a consumer account, users can sign in to the applications that you've secured with Azure AD B2C. Users with consumer accounts can't, however, access Azure resources, for example the Azure portal.
I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.
I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.
The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.
I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?
Do I need to use a federation application as a middle-man such as Ping Identity?
Thanks for any help!
Using e.g. Ping as an IDP generally won't help because Azure AD is already an IDP.
Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.
And you can only sign-in with an email address because it's designed for domain-joined corporate customers.
You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.
You could then federate Azure AD and Azure AD B2C.
Your other option is to use an IDP that does allow authentication via an API e.g. Auth0.
Then you could have a custom login page that authenticates as appropriate.
Using Ping ID and other similar products is the fastest way to utilize SSO.
Is there any Azure B2C end-user queryable endpoint that will allow that owner to identify which tenants they have authenticated to?
A dashboard for B2C users that is an aggregate of all tenants they have federated with? Is there some extension of the /common endpoint I could make an OAuth query to? (ideally including AAD B2B guest accounts)
https://account.live.com/Activity
https://account.activedirectory.windowsazure.com/r#/applications
myapps.microsoft.com
4/24/20 Edit:
I found this in the portal that implies a portal is available.
I'm looking for the API in which to programmatically add applications to it before a migration.
I need to have the applications already 'signed in' or linked to applications I own in the B2C directory (OIDC/SAML2 apps)
Your question is the equivalent of asking, "Can i find out if i registered at StackOverflow and Facebook with this/my email?". You cannot do this, AAD B2C is isolated tenancies representing a single organisations' identities. There is no equivalent of /common endpoint for AAD B2C. In AAD and AAD B2B accounts, there is a mapping created from the original account to identify which tenants they are in. This is to maintain a single identity across the Microsoft ecosystem.
In AAD B2C, this doesn't exist, goes back to my first sentence for 'why', they are separate applications, and inherently have no relationship, nor do the identities.
I am doing login from Azure AD.Client is SPA(angular using MSAL). If user is not Authenticated, it redirect to Microsoft Login Screen (using MSAL). On successful login, it return an access token.
My roles will be stored in a database. I need to add the roles of that user as part of claim in access token. I am not finding the way to do it.
I do not want to make another call from SPA to API to get the DB roles.
Please suggest some good approach.
Any links explaining the approach will also be very helpful.
I am still in design phase but not able to find the best approach.
In one microsoft site, i found that we can fetch the roles from DB but details were not there.
most of the places, it is written that we need to provide roles in Azure AD users menifest file.
In regular Azure AD, the "roles" claim is exclusively sourced from app role assignments for the signed-in user (or groups the user is a member of), to the app roles for the app the user is signing in to.
There's no feature currently in Azure AD which will connect to an arbitrary database, make a database query in the appropriate form, and include the results in the roles claim in the resulting ID Token.
I can think of three options to achieve your scenario:
After sign-in, call an API to retrieve the roles. Though you mention this is not desirable, it's probably the simplest approach, so it's worth listing. As a result of the user's sign-to you app, you app will usually obtain an access token to an API. If you set up your API to be secured with Azure AD (directly, or through Azure API Management), your SPA could simply get the necessary access token as part of sign-in, and at that point it's trivial to make a REST call to retrieve the role details for the user (and possibly other information useful to rendering your app).
Synchronize (or copy) your role information from your database to Azure AD. For each role, create an app role in the Azure AD app registration. For each user-role association, either create an app role assignment to directly assign the user (user -> app role), or assign a group to the app role and add the user to the group (user -> group -> app role. Keeping this in sync is probably not trivial, so if your scenario allow to move the role information to Azure AD app role assignment, you can forget the database entirely (making Azure AD the authoritative location). Of course, this might not work for your specific case.
Use Azure AD B2C and a custom sign-in policy. You could create an Azure AD B2C tenant, set up a custom sign-in policy to use your (regular) Azure AD tenant as the identity provider, and configure the policy to enhance the claims by calling a REST API to retrieve your roles. In this approach, you still need to have a REST API which can provide the role information, so rather than doing the setup and migrating your app, you may prefer simply calling the API from your SPA (option 1, in this list).
I'm trying to migrate user accounts from our database to Azure AD B2C following an article and simple app that's coupled with the article -- see below.
All user accounts we have in our database used social login e.g. Google, LinkedIn and Facebook. I'm looking at the code in the migration app and I don't see any reference to user's social login. I don't see any properties for login type or anything like that.
How will I specify how the user registered in our system and has been using his/her social account to log into our app? The migration structure seems very simple i.e. just name, last name, email, etc.
I do NOT have to use this app but not sure if there's a simpler way to handle this.
The article I'm following is: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-user-migration
And here's a link to the simple migration app: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/aadb2c-user-migration
For a social account, Azure AD B2C finds the user object using a composite key that includes the social user identifier (e.g. the "id" claim that is issued by the social identity provider) and the social identity provider name (e.g. "facebook.com").
This composite key is stored in the "alternativeSecurityId" attribute of the user object.
Currently, you can't read or write this "alternativeSecurityId" attribute of the user object using the Azure AD Graph API, which means you can't migrate the social accounts from your existing identity store using a similar method to that described in the user migration guide.
I don't see any reference to user's social login. I don't see any
properties for login type or anything like that.
About migration: Azure AD B2C can let social accounts to sign up and sign in . For your scenario, after migrating users to Azure AD B2C, the users from any social identities can sign in the Application in your Azure AD B2C. (You can also change your policy to check and set the user migration status.)
About where users information are stored: After migrating, all the users can be seen in the Users and Groups of Azure AD B2C. Additional,There is an App called b2c-extensions-app, is visible in App registrations. It is used by the Azure AD B2C service to store information about users and custom attributes.
About Login type: Also, you may want to know which properties for login type you can choose, Email address or Username. This configuration can be done in Azure Portal.
Go to Azure Portal > You B2C tenant > Identity providers > local accounts > Choose Email or User name for sign-up and sign-in.
How will I specify how the user registered in our system and has been
using his/her social account to log into our app? The migration
structure seems very simple i.e. just name, last name, email, etc.
Yes, the migration is very simple. If you want to specify how the users to sign-up and sign-in , you need to built-in Sign-up or Sign-in policies for those users. Also, you can use Custom policies.