I have Azure B2C setup using OpenID Connect. I also have a local SQL Server database. I know that the id_token (Jtw token) can contain the logged-in user's email, so my question is how do I get the user's email from the id_token and use it to run queries?
From within an ASP.NET Core application, you can do the following:
var user = HttpContext.User;
var emailsClaim = user.FindFirst("emails");
var emails = JArray.Parse(emailsClaim);
var firstEmail = emails[0].value;
//firstEmail == “bob#gmail.com” based up the sample token
Sample Token
Related
Is there a way to find out if email address belongs to Azure Ad instance?
I have a list of email addresses of my customers and I have to figure out if they have azure ad instance.
I tried to reproduce the same in my environment and got the results like below:
To check if the User Emails belongs to the Azure AD Tenant, you can make use of PowerShell like below:
Connect-AzureAD
Get-AzureADUser -ObjectId User#XXX.onmicrosoft.com
If the User belongs to the connected Azure AD Tenant, then the user details will be retrieved otherwise it will throw an error like below:
You can also make use of the authorize endpoint to check if the user resides in the Azure AD Tenant.
For sample, when I use the below endpoint I get a sign-in screen.
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=user.read
&state=12345
When I enter the user not belonging to the Azure AD Tenant, I get the below error:
If the User belongs to the Azure AD Tenant, then I get the redirect screen successfully like below:
Alternatively, you can also make use of Microsoft Graph API like below:
https://graph.microsoft.com/v1.0/users/user#xxx.onmicrosoft.com
For more in detail, refer below links:
Verify if user account exists in Azure Active Directory by Rohit Saigal
Check if an user is member of some Azure Active Directory Tenant by astaykov
I need to know if there is a possibility to get all Azure AD users using PowerApps or not.
You cannot get all Azure Ad users using PowerApps, whereas you can list the details of a single user or users within a group.
Make use of Azure Ad connector that needs administrative permissions for your account like below:
Group.ReadWrite.All
User.ReadWrite.All
Directory.ReadWrite.All
Connect Azure AD in the app,
Go to the Data tab -> Add data-> Search Azure AD -> Select Azure Ad connector -> Connect
To get users within a group, make use of below query:
Users= AzureAD.GetGroupMembers("Your_Group_ID").value
To get details of a User, make use of below query:
OnSelect = ClearCollect( colAzureUserDetails, AzureAD.GetUser(txtAzureID.Text) )
To know more details, please refer below links:
Power Apps Azure AD Group - SPGuides
Power Apps : Get users from Azure AD to Power Apps view to list table and refresh button for table - Stack Overflow
Is it possible to use Azure AD and Core Identity Roles together? Basically the user will log into the App using AD, which I have that done already. But as they use the app, thier roles will be based on the AspNetRoles and AspNetUsersRoles tables. I was thinking that I would have to use the ClaimsPrincipal factory to extend the claims object that is created when the user logs in.
By using the ASP.NET identity you can manage the user locally in your database, and user Azure AD as external identity provider which enable the AAD accounts to login in your application. You can identify the user and link it to the user in your local database. You can then also manage the roles with your local users and Azure AD users.
Read more here.
Create a new application with Individual User Accounts.
Install this package : Microsoft.AspNetCore.Authentication.AzureAD.UI
services.AddDbContext(options => options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection"))); services.AddDefaultIdentity() .AddEntityFrameworkStores();
services.AddAuthentication(sharedOptions => }).AddAzureAD(options =>
Configuration.Bind("AzureAd", options)).AddCookie();
Update appsettings.json "AzureAd": { "Instance": "https://login.microsoftonline.com/",
"Domain": "xxx.onmicrosoft.com", "TenantId": "xxxxxx-xxxxx-4f08-b544-b1eb456f228d",
"ClientId": "xxxxx-xxxxx-4717-9821-e4f718fbece4", "CallbackPath": "/signin-oidc",
"CookieSchemeName": "Identity.External" },
It depends on the user to choose login with local authentication or Azure AD Authentication.
I have setup Single-Sign on (SSO) using keycloak and saml/OpenID broking between a web application (using Kibana for testing) and IDP Azure AD.
Created few users and groups in Azure AD. Also configured attribute mapping to map the user/group roles from Azure AD to keycloak by following the below link,
https://keycloak.discourse.group/t/getting-groups-from-azure-active-directory-idp/590
I need to map the same user/groups roles to Kibana application as well. My requirement is while a user logs into Kibana using the Azure AD - Keycloak Single-Sign On authentication, he should be able to login using the same Azure AD user/group privileges, So there is no need to create separate user/group roles in Kibana.
Is it possible to configure it? Please suggest.
What you are looking for is group claim.
For group claim, you could add the users into different security Groups and include Groups claim in your token. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["{group id}"]
}
App role can implement the same thing for you.
I want to use authContext.AcquireTokenAsync method to acquire an access token from Azure AD for access a storage account.
// Acquire an access token from Azure AD.
AuthenticationResult result = authContext.AcquireTokenAsync(ResourceId,
"<client-id>",
new Uri(#"<client-redirect-uri>"),
new PlatformParameters(PromptBehavior.Auto)).Result;
See Authenticate with Azure Active Directory from an application for access to blobs and queues (Preview).
According to the doc, I know that the ResourceId is https://storage.azure.com/ for public cloud. Are they different for national clouds?