I have a desktop bridge app (WPF) which package is signed with a code-signing certificate, how should I configure Azure Notification Hub to receive push notifications from this app?
Azure requires a Package SID and a Security Key that I haven't because the app is not distributed on the store.
Official answer from Microsoft:
Sadly it is not possible.
Azure notification hub requires the Package SID and a Security Key. You could get the Package SID and a Security Key even if your app is not published to the MS store.
But if you create the package using the code-signing certificate, the author in the manifest changes and notifications no longer arrive
Azure requires a Package SID and a Security Key that I haven't because the app is not distributed on the store.
To make the Azure Notification Hub send notification notification successfully, the Package SID and a Security Key is necessary. You could get the Package SID and a Security Key even if your app is not published to the MS store.
Please see the Create an app in Windows Store tutorial. In the step 3, click the 'Live Service Site', it will navigate directly to the Application Registration Portal. Sign in to your Microsoft account and select your application name, then you will see the Package SID and a Security Key on the page.
After that, right-click the packaged app project, select Store, and then select Associate App with the Store. You need to associate your project with the app that you created in the Windows Dev Center.
Related
I created a new ASP.NET Core 6.0 MVC web application, and I define it to use Azure AD for authentication, as follows:
Then I was asked to create an owned application, so I created one named "ad" as follows:
Inside my application's appsetting.json I have these settings:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "*****",
"TenantId": "***",
"ClientId": "***",
"CallbackPath": "/signin-oidc"
},
....
}
It seems Visual Studio did all the work for us.
But when I checked the "Certificate & Secrets" in the Azure portal, I found that there is not anything assigned:
So for the purpose to authenticate users inside my ASP.NET Core MVC web application, do we need to add "Certificate" or "Secrets"?
Thanks
When you only want to integrate Azure AD to make your users sign in your application with their microsoft account, no need to use Client secret here. You can see this section:
Credentials are used by confidential client applications that access a
web API
The API can be Microsoft graph API or your custom AP, I trust you will see this step when you connect your application to Azure identity platform in Visual Studio, this is the API:
If you pick up Graph API option, then you will see this step:
And this time, it will create Client Secret for you in Azure AD portal.
But when I checked the "Certificate & Secrets" in the Azure portal, I found that there is not anything assigned:
Initially I have added the Microsoft Identity Platform by selecting the Authentication type from the Template (same like what you have shown in Screenshot).
Publish the Application to Azure App Service.
First even I am unable to find the secrets under Certificate & Secrets in AAD.
To get the Certificates & Secrets in Azure Active Directory, we need to connect the Microsoft Identity platform under Service Dependencies from the Publish window.
Click on Connectand continue with the Next steps.
Now check in the Active Directory => App Registrations, you can see the Client secret is added.
Another option to add Microsoft Identity platform is, Instead of selecting the Authentication type in the template add directly from the Connected Services.
Goal:
Assign appropriate Azure SQL database privileges to App Service Web Site's system service principal (or better yet) the user assigned service principal.
Background:
After having followed along with Alexandre's tutorial on creating Azure SQL administrators I created a simple Blazor Server App that can insert entries into a simple Azure SQL resident table because the system assigned service principal of the Azure App Service Web site is an administrator for the Azure SQL database.
Problem:
Database administrator privileges are not appropriate or necessary for the Azure App Service Web site. I need to endow the Azure App Service Web site with minimal privileges (such as db_datawriter) to be consistent with Microsoft's recommend best practices.
What is Working (Updated):
I've been following along with Jesse's tutorial where he endows his account as the Azure SQL administrator and creates new accounts with limited roles like db_datareader and dt_datawriter and db_ddladmin. This was not working previously (when I first posted).
Tue May 24 2022 Update:
I started over again (with a new azure SQL database) following Jesse's tutorial and I can now
log into the Query Explorer
create a user
grant access to that user to update, select and insert into a table
Connect with SSMS with no password and access the database tables as that user
Run my blazor app and insert into the table as well (with no password!)
New Questions (Tue May 24 2022):
When I deploy my blazor app to Azure AppService Web app, it cannot connect.
How do I write bicep code to grant my azure app service resident blazor app access to my azure SQL database? I think I need to use the system assigned service principal for the web app (does this have a password?) and use SQLCMD.EXE to execute those CREATE USER and ALTER ROLE commands. How do I do that? The problem is that the system assigned service principal of the web app is not an active directory object. Conversely, "az ad user show" does not have a principalId I can use as a user assigned service principal that I could assign to the web app.
So when I am running on my desktop dev machine, DefaultAzureCredential is detecting that I am logged to Azure with the Microsoft account and I can debug my blazor app on my dev machine...
How do I configure Azure SQL to allow access from the Azure App Service web app as well as access from my desktop dev machine? This is easy to do with cosmos SQL and I'm thinking it should be possible with Azure SQL as well.
Thanks
Siegfried
This article I recently published should be able to help you: https://dev.to/azure/create-and-connect-to-an-azure-sql-db-9k0. And yes, this sentences you mentioned "it looks like this is the way to conform to the Microsoft recommend Best Practices of abandoning passwords in favor of service principals and managed identities", is definitely correct.
We are using the ADFS activity report to migrate our applications to AAD. Everything shows as Ready and when we click on the Ready link, the text says "We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so." By the last statement, it seems like the application is automatically created now. Is that the case? If so, how long does it take to create the application and does it keep the same name as in ADFS?
• The message that you encountered “We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so.” Means that the application is a SaaS application available in Enterprise application gallery in Azure AD. This does not in anyway mean that the application has been created automatically, it just means that the application is ready to be migrated to Azure AD and is fully available as a SaaS application in Azure AD gallery and doesn’t need any further relying party configuration migration from the on-premises ADFS server.
• Since the message is displayed only for SaaS apps readily available in Azure AD gallery and are equally configured as a relying party trust in ADFS, its configuration information is readily migrated through the ADFS Connect health application to Azure AD and it can be configured in the cloud itself with admin account access needed for the SaaS application’s account for SSO and SAML authentication configuration required through Azure AD.
You can find the image below for your reference, it shows the ‘Dropbox’ application as ready for migration from ADFS to Azure AD: -
Through the above option enabled, you can easily configure your application’s SSO configuration in Azure AD. If all the configurations are up and running, it will happen instantaneously within a few minutes of time.
Kindly refer to this link for more information on migrating federated apps from ADFS to Azure AD: -
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
I think the report is still in preview and it is missing a create application button.
All the documentation only shows the reports & not the create process.
Also this migration tool, is a repackage of the powershell test commands:
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
So I assume you need to create the application manually based on the report.
IdentityServer newbie here....
I am building a mobile app and would like to provide the end user the ability to sign in using SSO for users that have a corporate identity provider and my company as the identity provider for those that don't have an identity provider.
it's possible that over time we add more external identity providers.
We have an on premise identityServer4 already installed and configured and only using it for client credentials for our API->API communications.
We also have an Azure Active Directory tenant with all of our AD accounts (our internal corporate accounts).
Here is what I would like to do (if possible of course):
Have the mobile app (swift and android, but for now let's just discuss swift) be completely unaware of any external identity providers and have it point to our on-premise identity server for authentication.
Add external identity providers in identity server
Control what external identity providers we "add" all on the backend and not have the UI layer concerned with specific external providers, but have the identity server redirect accordingly.
Not bother the user to have to select which provider to use (if I am a corporate user with an external IDP configured, it should automatically take me to MY e-idp login page, if not then present my own login page)
I am also open to the idea of using Azure identity management as the identity provider and add external identity providers there.
What about Azure B2C?
Can someone please point me in the right direction?
thanks in advance!
You can check this app integrated with AppAuth for iOS. Link in GitHub
From Azure API Management developer portal, Can we create client id and secret automatically while each user creates application?
Basically i need to set up my AD tenant/B2C Tenant and while application creation happens from API Manangement development portal, Development portal should automatically/programmatically call to my configured AD tenant/B2C tenant and should create Application inside AD/B2C, the created application's client id and secret should be written.
Is this feature supported in Azure APIM developer portal or please suggest best away to achieve inside APIM developer portal.
Thanks in advance.
Vetrivel
Please note as informed in MSDN thread, as of now you may not be able to do it directly through Azure API Management. You can go ahead to log a feedback request here - http://aka.ms/apimwish.
For now, you can create separate application that would call both API Management API and AD API to setup required applications.