I am trying to add a new application to my azure AD to use for my Xamarin forms mobile app, but when I select Native app and finish the creation it does not show up under App Registrations but it does show up under enterprise applications but with a subset of functionality it seems, for example I cannot add users to the application and I cannot add reply to URLS etc, What could cause this behaviour?
Make sure you set the new filter to All Apps instead of My Apps.
Then it will show all Applications in the tenant.
Related
I'm creating an app registration for Azure AD using my admin account (specifically for Mobile and desktop applications authentication). I intend to create an AAD Conditional Access that will be applied to the created app registration. For some reason the App Registration is not visible on the cloud app selection when I am trying to select it.
Screenshot - Conditional Access > Policy > Cloud apps or actions > Select apps
P.S. It showed on the cloud apps when I tried adding a "Web" platform on the app registration, but still CA is not applied when trying to login using the App Registration. Am I missing anything? Thanks in advance.
Screenshot - AAD - Sign-Ins
Please note that the CA policy is applied when a client calls a service. It's not applied directly to a client (public/native) application.
See the Note tip here.
Since Conditional Access policy sets the requirements for accessing a
service you are not able to apply it to a client (public/native)
application. Other words the policy is not set directly on a client
(public/native) application, but is applied when a client calls a
service. For example, a policy set on SharePoint service applies to
the clients calling SharePoint. A policy set on Exchange applies to
the attempt to access the email using Outlook client. That is why
client (public/native) applications are not available for selection in
the Cloud Apps picker and Conditional Access option is not available
in the application settings for the client (public/native) application
registered in your tenant.
It also explains why CA is not applied when you tried to login using the App Registration -- you didn't call a service.
I created an Application Registration on our Azure AD.
I then use the application registration id to create "Enterprise Application" in our customers' AD's.
It goes like this
Their admin sign into our system and clicks connect AD
We send a challenge (OpenId Connect) that allows them to sign into their microsoft account.
This creates our application under "Enterprise Applications" in their AD and it then workes fine with SSO
So far so good. But now we want to add the next logical step with Provisioning with Scim v2 however if I on a customer/test AD browse to our app under Enterprise Application and then click Provisioning I see the following
There is no way to hook up provisioning no matter if I support Scim2 as required.
Why is this? Does our app need to be in the gallery for this to work?
I noticed I can go to Enterprise Applications > New application > Non-gallery application and create a new application. This will then work with provisioning.
But then our customers would need two apps, one from our app registration that does SSO and one more for provisioning. I would like one app to do both.
Your app needs to be in the gallery to have provisioning enabled. Barring that, the only other option is what you've already described - a custom non-gallery app.
To get your app in the gallery, https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing
I registered an app in v2 endpoint (apps.dev.microsoft.com), however in azure portal, I cannot see the 'user and group' option where I would like to control the access by security groups, is this feature supported??
This is because that the App you created is a Native App.
I did a test and found that when you registered a Native App and granted permissions to it. It would occurs in Enterprise Applications without Users and Groups . Just like this:
Native client registrations are multi-tenant by default. You don’t
need to take any action to make a native client application
registration multi-tenant.
If you want to have the Users and Groups section, you need to register Web app/API application.
Hope this helps!
Yes, this is supported - Applications created in the Application Registration Portal (v2) will show up in portal.azure.com under Enterprise Apps and you should be able to assign permissions to it.
It is likely that you are not seeing this because you are not signed in as Tenant Admin.
I've read in some IS4 issues recently, e.g. here, that hosting IS4 and a client in the same web application is not a tested or recommended scenario. Does this also apply for when integrating AspNet Identity's logged-in workflows into IS4?
For example, it's understood that AspNet Identity's Account feature's controller, models and views from AspNet Identity are required so that IdentityServer4.AspNetIdentity code can initiate the relevant UI, but is it okay to leave the Manage controller in the same web application so as to provide a self-service feature, or should this functionality be moved to a separate web application?
For IS3 I created a separate web app that contained user profile functions (Manage controller), plus admin for the IS3 configuration and user management. This app was configured as a client and the IS3 web app itself had no client config or logged-in workflows. Is this the preferred architecture for re-using the Manage controller functionality?
Ideally, I'd like to keep AspNet Identity functionality together with IS4 in the one web app and have a separate web app for admin of config and users. Just want to be certain I'm not opening up a security vulnerability by doing so.
May be I am overcomplicating things and overthinking of a solution but this is what I am trying to accomplish:
I have an app that uses Ionic Angular JS as the frontend with multiple restful services from the backend. I am using a combination of Drupal and Yii2. Both of the apps can support Facbook login / sign up as web apps as the modules are available. Ionic app by itself can use FBLogin by using NGCordova. However, I need to do the following:
Login to Ionic app using Facebook Login.
Using this login create an account in both my Yii2 and Drupal 7 apps. (I can sacrifice one or the other if I really need to. I have two backends because I need one to store the custom logic an another for the content management.).
User should be able to create new nodes in both of the apps. (Yii2 will have a higher priority).
Any guidance will be great. Eventually I may expand FB login capability to Google ID as well.