From Azure API Management developer portal, Can we create client id and secret automatically while each user creates application?
Basically i need to set up my AD tenant/B2C Tenant and while application creation happens from API Manangement development portal, Development portal should automatically/programmatically call to my configured AD tenant/B2C tenant and should create Application inside AD/B2C, the created application's client id and secret should be written.
Is this feature supported in Azure APIM developer portal or please suggest best away to achieve inside APIM developer portal.
Thanks in advance.
Vetrivel
Please note as informed in MSDN thread, as of now you may not be able to do it directly through Azure API Management. You can go ahead to log a feedback request here - http://aka.ms/apimwish.
For now, you can create separate application that would call both API Management API and AD API to setup required applications.
Related
I created a new ASP.NET Core 6.0 MVC web application, and I define it to use Azure AD for authentication, as follows:
Then I was asked to create an owned application, so I created one named "ad" as follows:
Inside my application's appsetting.json I have these settings:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "*****",
"TenantId": "***",
"ClientId": "***",
"CallbackPath": "/signin-oidc"
},
....
}
It seems Visual Studio did all the work for us.
But when I checked the "Certificate & Secrets" in the Azure portal, I found that there is not anything assigned:
So for the purpose to authenticate users inside my ASP.NET Core MVC web application, do we need to add "Certificate" or "Secrets"?
Thanks
When you only want to integrate Azure AD to make your users sign in your application with their microsoft account, no need to use Client secret here. You can see this section:
Credentials are used by confidential client applications that access a
web API
The API can be Microsoft graph API or your custom AP, I trust you will see this step when you connect your application to Azure identity platform in Visual Studio, this is the API:
If you pick up Graph API option, then you will see this step:
And this time, it will create Client Secret for you in Azure AD portal.
But when I checked the "Certificate & Secrets" in the Azure portal, I found that there is not anything assigned:
Initially I have added the Microsoft Identity Platform by selecting the Authentication type from the Template (same like what you have shown in Screenshot).
Publish the Application to Azure App Service.
First even I am unable to find the secrets under Certificate & Secrets in AAD.
To get the Certificates & Secrets in Azure Active Directory, we need to connect the Microsoft Identity platform under Service Dependencies from the Publish window.
Click on Connectand continue with the Next steps.
Now check in the Active Directory => App Registrations, you can see the Client secret is added.
Another option to add Microsoft Identity platform is, Instead of selecting the Authentication type in the template add directly from the Connected Services.
I am looking to implement Azure AD B2C into my web application for user authentication.
However, I am unsure of the desired practice when you have a separate frontend from backend.
Frontend: React JS web application running on Node.js
Backend: ASP.NET Core 6 API application
Server: Microsoft SQL Server
I would like to also have users / user information stored in the database upon creation. This is because I need to reference these users in several different relational tables.
What is the best workflow with this?
Azure AD B2C is implemented in frontend. When a user is created, an API request is sent to the backend to create the user in the database. If it is successful, a user cookie is created on the frontend for authentication.
Azure AD B2C is implemented in the backend. When a user is submitted in the frontend, an API request is sent to the backend where the Azure AD B2C service creates a user, stores it in the database, and sends a callback to the frontend signifying the action was either successful / unsuccessful, along with a user cookie for authentication.
other
I am new to authentication cookies, and user sessions, so any documentation provided regarding that would be greatly appreciated.
• I would suggest you use ASP .NET MVC 2 or another version as the front-end client and integrate Azure AD B2C tenant and an app registered in it as described in the document below. Once you have the Azure AD B2C tenant registered and the required application for authentication configured, configure the custom policies and user flow accordingly. Once those are done, then secure that application with Azure AD B2C for login and authentication with guest authentication. Then, ensure that your backend application is integrated with Azure SQL or cosmos DB for storing the details of all the users signed in with the Azure AD B2C. For that purpose, you will have to give Azure AD B2C application registration, the required permissions for that concerned Azure resource for allowing to access the same and retrieve the user details from it. Thus, in this way, you can configure your application accordingly.
Kindly refer to the link below for more information and details on configuring the infrastructure for the same: -
https://www.codeproject.com/Articles/1121503/Integrate-Azure-AD-B-C-with-ASP-NET-MVC-Web-App-Pa
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app?tabs=visual-studio
Goal:
Assign appropriate Azure SQL database privileges to App Service Web Site's system service principal (or better yet) the user assigned service principal.
Background:
After having followed along with Alexandre's tutorial on creating Azure SQL administrators I created a simple Blazor Server App that can insert entries into a simple Azure SQL resident table because the system assigned service principal of the Azure App Service Web site is an administrator for the Azure SQL database.
Problem:
Database administrator privileges are not appropriate or necessary for the Azure App Service Web site. I need to endow the Azure App Service Web site with minimal privileges (such as db_datawriter) to be consistent with Microsoft's recommend best practices.
What is Working (Updated):
I've been following along with Jesse's tutorial where he endows his account as the Azure SQL administrator and creates new accounts with limited roles like db_datareader and dt_datawriter and db_ddladmin. This was not working previously (when I first posted).
Tue May 24 2022 Update:
I started over again (with a new azure SQL database) following Jesse's tutorial and I can now
log into the Query Explorer
create a user
grant access to that user to update, select and insert into a table
Connect with SSMS with no password and access the database tables as that user
Run my blazor app and insert into the table as well (with no password!)
New Questions (Tue May 24 2022):
When I deploy my blazor app to Azure AppService Web app, it cannot connect.
How do I write bicep code to grant my azure app service resident blazor app access to my azure SQL database? I think I need to use the system assigned service principal for the web app (does this have a password?) and use SQLCMD.EXE to execute those CREATE USER and ALTER ROLE commands. How do I do that? The problem is that the system assigned service principal of the web app is not an active directory object. Conversely, "az ad user show" does not have a principalId I can use as a user assigned service principal that I could assign to the web app.
So when I am running on my desktop dev machine, DefaultAzureCredential is detecting that I am logged to Azure with the Microsoft account and I can debug my blazor app on my dev machine...
How do I configure Azure SQL to allow access from the Azure App Service web app as well as access from my desktop dev machine? This is easy to do with cosmos SQL and I'm thinking it should be possible with Azure SQL as well.
Thanks
Siegfried
This article I recently published should be able to help you: https://dev.to/azure/create-and-connect-to-an-azure-sql-db-9k0. And yes, this sentences you mentioned "it looks like this is the way to conform to the Microsoft recommend Best Practices of abandoning passwords in favor of service principals and managed identities", is definitely correct.
We are using the ADFS activity report to migrate our applications to AAD. Everything shows as Ready and when we click on the Ready link, the text says "We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so." By the last statement, it seems like the application is automatically created now. Is that the case? If so, how long does it take to create the application and does it keep the same name as in ADFS?
• The message that you encountered “We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so.” Means that the application is a SaaS application available in Enterprise application gallery in Azure AD. This does not in anyway mean that the application has been created automatically, it just means that the application is ready to be migrated to Azure AD and is fully available as a SaaS application in Azure AD gallery and doesn’t need any further relying party configuration migration from the on-premises ADFS server.
• Since the message is displayed only for SaaS apps readily available in Azure AD gallery and are equally configured as a relying party trust in ADFS, its configuration information is readily migrated through the ADFS Connect health application to Azure AD and it can be configured in the cloud itself with admin account access needed for the SaaS application’s account for SSO and SAML authentication configuration required through Azure AD.
You can find the image below for your reference, it shows the ‘Dropbox’ application as ready for migration from ADFS to Azure AD: -
Through the above option enabled, you can easily configure your application’s SSO configuration in Azure AD. If all the configurations are up and running, it will happen instantaneously within a few minutes of time.
Kindly refer to this link for more information on migrating federated apps from ADFS to Azure AD: -
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
I think the report is still in preview and it is missing a create application button.
All the documentation only shows the reports & not the create process.
Also this migration tool, is a repackage of the powershell test commands:
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
So I assume you need to create the application manually based on the report.
Instead of using the Azure developer portal we are using Salesforce Experience cloud to integrate with Azure APIM. We have set up Azure AD as the identity provider in Salesforce and SSO for Salesforce with Azure AD as identity provider works fine. However we are not able to have a seemless integration with APIM from Salesforce and need assistance on what configurations with respect to tokens etc need to be explicitly passed from Salesforce in order to talk to APIM. With the ID token derived from Salesforce after the successful Azure Active Directory authentication / authorization we are unable to make successful restful callouts to APIM identity from Salesforce. We have looked at https://lekkimworld.com/2019/11/18/using-an-auth-provider-and-named-credentials-in-salesforce-with-azure-oauth/ however would really appreciate pointers on how to do a seamless single sign on from Salesforce to APIM.
Thanks.