I didn't quite understand the logout process in AD.
Say a user logs out from other app (not mine) that's connected to AD, would my SP get called when it happens?
Another thing that i'm missing is, what happens when user was removed/deactivated from their directory? how would I know when to clear their session? couldn't find anything regarding this issue in AD's docs.
The following diagram shows the workflow of the Azure AD single sign-out process.
If the user logs out from one app connected to AD(the same tenant as yours), he will be signed out from other apps connected to the same AD.
If a user was removed from their directory, the user will get an authentication issue.
Related
I have set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C using the guide provided in Microsoft's documentation.
I have added Azure Active Directory B2C as an identity provider for Azure API Management
When I want to sign in to the portal, I am presented with the AADB2C login screen correctly. I can select the AAD provider and I'm then taken through the signin process as I would expect. Authentication happens correctly.
However, when I am redirected back to the API Management developer portal, I am instantly presented with the AADB2C login screen again.
I am quite stuck at the moment as I am unsure how to debug this issue or what to look for next.
Has anyone been able to get this working properly, and if so, could you provide some guidance?
It turns out that the value of the policy key I created was incorrect. After updating the policy key with the correct Application key (Not Application ID), everything worked.
I have been doing some R&D on using the MicrosoftGraphAPI to fetch the skus subscribed by my organization.
I have created an app as described in the documentation. I did all the steps in the above link except 'Assign application to role'.
Using postman am able to get the oauth2 token by sending a post request using the link
https://login.microsoftonline.com/<mytenantid>/oauth2/token
with the client_id, client_secret, resource(https://graph.microsoft.com) and grant_type(client_credentials) parameters.
After this token is obtained I can fire a get request https://graph.microsoft.com/v1.0/subscribedSkus with the Authorization header set as Bearer {token} which will return the SKUs subscribed by my organization.
So far so good. :-)
Now the requirement is I need to fetch the subscribed SKUs by one of the client (let's say having the azure ad tenant id 'ABCDEFG') of my organization.
I can successfully do that by registering an app in the client's tenant 'ABCDEFG' with the same steps as above.
This approach is fine if my organization has say 1 or 2 clients.
However, if the client numbers are more than say 30 this approach of registering an application in each Azure AD instance is not feasible.
If the application that I registered in my organizations AAD was multi-tenant then how should it help me?
What will be the steps needed to obtain the access token for each tenant?
Can somebody assist with some detailed explanation?
Since you need application-level access, you would assign one of the Application permissions listed in the documentation for getting SKUs: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscribedsku_list.
Directory.Read.All, Directory.ReadWrite.All
In this case you should require the Read Directory Data (Directory.Read.All) application permission.
Then you mark your app as multi-tenanted.
Now then in order for another org to use your app, they will have to be on-boarded.
You will need some kind of page where their administrator can click a button/link to start using your app.
This should redirect the admin to:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&prompt=admin_consent&response_type=code+id_token&redirect_uri=url-where-to-send-user-back
Once they sign in, they will be presented with a consent screen, where they can approve the permissions that your app requires.
If and when they do that, they will be redirected back to your app (to the URL you specified) and you can use the Id token to know which Azure AD tenant registered.
During this process a service principal for your app is created in their tenant, and the required permission is granted to it.
This means you can then get an access token for their tenant from: (using the same credentials)
https://login.microsoftonline.com/their-tenant-id/oauth2/token
Remember that access tokens are specific to an Azure AD tenant, so you will have to get an access token for each tenant.
One thing I would like to point out is that you should instead try to use delegated permissions if possible.
The application permission given here gives quite large access to your app, and some admins might not use your service for that reason alone.
Delegated permissions are more complex to handle, but allow your app to act on behalf of a user instead of purely as itself.
I am working on an ASP.Net MVC application which will handle two types of users
External Users (Need to authenticate using Azure B2C with username as login instead of email as login)
Internal Users (which already exist in Corporate Azure AD)
What is the right way of implementing it?
One option is to run two separate instances of the application configured against each IDP. Keep each type of user stick to one app instance.
I tried to register AD and AD B2C in one app by registering two OpenIdConnect services but having problems when the user tries to access a resource without first logging into the application. Without knowing the type of the user I cannot specify AuthenticationSchema in the Authorize tag.
I am sure people have done this before so if you someone who knows how to do it, then please guide me..
As you can see from the image, it's not letting regular users login to the application. How do I bring down this access to members? This is an azure active directory application. I can login just fine with an admin user but my regular accounts gets blocked. Note, I created the application with the regular account. I don't suppose this has something to do with it?
I've granted the app all delegated permissions. No application permissions though. I'm thinking there's something in the manifest I need to alter but I'm not sure and I've never messed with this before. So any help is appreciated.
You likely need to perform admin consent for the application. There are two ways to do this in Azure AD:
In the Azure portal, you can go into the App Registrations blade, then click on the App, click on Permissions, and hit Grant Permissions.
Construct a request to Azure AD with the extra parameter &prompt=admin_consent.
For example:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<AppID>&resource=<Resource App ID URI>&response_type=code&redirect_uri=<Redirect URI>&prompt=admin_consent
I am writing a SPA web app that is registered as an app in Azure AD. Everything was working fine most of the week; however, when I went to work on it today, I wasn't getting the expected results.
I deleted and recreated the app registration, hoping it would fix the issue, but it made things worse. When I navigate to the URL, I'm redirected to log in to Azure AD. That part works fine. Since I just created the app registration, I would expect to be taken to a page to consent to the application, but instead I'm redirected back to my application.
I check the app registration in Azure, and it does not have me listed as a user of the application.
Because of all of this, I can't acquire tokens to call external APIs (which I have registered in my app registration).
I'm not sure why I am running into this all of the sudden. Any thoughts on why the OAuth consent is being by-passed? I'm starting to wonder if MSFT is having services issues or not, but more than likely, the problem is on my end.
Suggestions on how to troubleshoot are also welcomed!
There's two things you can do to give consent that will likely fix your app. From what it sounds like your app isn't consenting before ADAL.js you use acquireToken (which is a silent call and can't consent).
Go into the Azure Portal > Azure AD > the app you registered, then at the top hit Grant Permissions. This is the equivalent of admin consent and will consent for all users in your tenant.
Run your app and hit login. When you get redirected to the Azure AD sign in page, add to the url &prompt=consent, hit enter and reload the page w/ that parameter and sign in. This will force the consent screen and consent for the current user. You can also append on the prompt=admin_consent if you're signing in w/ an admin account.