I have created my custom AAD in Azure Portal and I have registered my web app, so that I can use AAD Authentication in the app.
What needs to be done in order to display the app in https://account.activedirectory.windowsazure.com/ portal in the Applications section?
You can manage the apps permissions here.
https://portal.azure.com - Azure Active Directory - Enterprise Applications - All Applications
https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/
Thanks,
prathaprabhu
COSMICOMPUTERS
Microsoft Partner
Related
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
I created an Application Registration on our Azure AD.
I then use the application registration id to create "Enterprise Application" in our customers' AD's.
It goes like this
Their admin sign into our system and clicks connect AD
We send a challenge (OpenId Connect) that allows them to sign into their microsoft account.
This creates our application under "Enterprise Applications" in their AD and it then workes fine with SSO
So far so good. But now we want to add the next logical step with Provisioning with Scim v2 however if I on a customer/test AD browse to our app under Enterprise Application and then click Provisioning I see the following
There is no way to hook up provisioning no matter if I support Scim2 as required.
Why is this? Does our app need to be in the gallery for this to work?
I noticed I can go to Enterprise Applications > New application > Non-gallery application and create a new application. This will then work with provisioning.
But then our customers would need two apps, one from our app registration that does SSO and one more for provisioning. I would like one app to do both.
Your app needs to be in the gallery to have provisioning enabled. Barring that, the only other option is what you've already described - a custom non-gallery app.
To get your app in the gallery, https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
Registered an app in v2 portal apps.dev.microsoft.com, it says 'This application will be registered in the Azure Active Directory instance used to manage your account', now 3 hours passed, when I go to 'enterprise applications' tab in azure portal-active directory, i still didnt see it there, why? how long will it take?
The enterprise applications blade represents Service Principals, rather than applications. Here's an excellent doc that walks through details of the difference between an application & service principal.
A Service Principal can be thought of as an instantiation of your application into the tenant. In the example of multi-tenancy, you as an app developer may register an application, then have multiple tenants sign in & consent to the app. At that point, each of those tenants will get a Service Principal provisioned into their tenant and it will show up in the Enterprise Apps section.
To prompt a Service Principal to be provisioned in the same tenant as the app registration, you simply need to complete a sign in request and consent to the application. It should show up after that.
I have a multi-tenant Web API application(created through Ibiza AAD UX) that never shows up in other AAD tenants for granting permissions. I made sure to mark "Multi-tenanted = Yes" during property definition of the AAD application.
Any help to troubleshoot this will be appreciated.
Thanks,
Rao
When a new user in another tenant signs into the multi-tenant app and consents, a service principal (not an app object) is provisioned into the tenant. The Azure Portal (as you said Ibiza UX) App Registrations blade represents application objects.
You can checkout the Service Principals in a tenant using a couple of techniques, but the easiest is through the Enterprise Apps blade in the Azure Portal or using the Microsoft Graph Explorer and running a query on /servicePrincipals.