Do I register an Azure Function as a "Web app/API" app in my Azure Active Directory? If so, what would be the "Sign-on URL" for it?
Your Function is probably going to kind of like an API.
In case of APIs, the Sign-on URL does not matter.
It will also be used as a reply URL by default, but if there is no user redirections, reply URLs do not matter.
So it can be your Function's URL.
Related
I'm trying to use Azure B2C OAuth for Alexa account linking with implicit flow.Below is the redirect url from Alexa
https://alexa.amazon.co.jp/spa/skill/account-linking-status.html?vendorId=XXXXXXXXXX
But adding this gives below error in Azure B2C app.
Failed to update xxx-xxxxxxapp application. Error detail: URL may not contain a query string
I tried below link for solving this but its not working
https://blogs.aaddevsup.xyz/2018/04/query-string-is-not-allowed-in-redirect_uri-for-azure-ad/
I also tried auth code grant flow with SPA in B2C. That is also not working with Alexa as it has PKCE - https://github.com/MicrosoftDocs/azure-docs/issues/64073
Anyone succeeded in creating this?
Adding URL parameters isn't allowed in Azure AD B2C.
The document you linked also provides that you use the state parameter. The problem with this is that your Amazon Alexa requires a vendor Id URL parameter.
You can add your own redirection service such that B2C redirects to your service which then redirects to the final application adding any needed query parameters that can be extracted from the B2C claims.
I am trying to add Active Directory Authentication to my Azure App Service.
The AD I am using is in a different tenant to the App Service so I need to use Advanced Settings instead of Express (where it creates things for you).
One of the fields is "Issuer Url" and the pop up help says
"Issuer URL for your Active Directory, TenantId of your Active
Directory can be obtained by PowerShell command Get-AzureAccount or by
browsing to your Directory from the management portal"
Where do I find the "Issuer Url" in the portal?
On the App registrations page, click on the Endpoints button at the top, then copy the WS-FEDERATION SIGN-ON ENDPOINT URL but remove the /wsfed ending from the URL. The end result should look like https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000. The domain name may be different for a sovereign cloud. This will serve as the Issuer URL.
Assuming I have a web app residing in Azure and using Azure AD, and I configured it to authenticate using Azure AD
settings -> Authentication / Authorization -> Authentication Providers -> Azure Active Directory
Now I want certain pages and URL paths to be publicly available (without need for authentication).
How do I configure that?
Somehow I stumbled upon the answer.
The way to configure that is described in the following article:
Expanding App Service Authentication/Authorization
You need to leave the "action to take" drop-down as "Allow request (no action)" and then the application may redirect the user to the log-in page as needed. This was not sufficiently explained in the Azure portal and led to some confusion on my part.
I have an Activiti app which needs to be integrated with the Azure Active directory for user sign in and authentication. The application is registered on the Azure AD and I have the following information:
tenant ID
CID
key
I am trying to follow the steps in the official documentation here, using the implicit flow.
All the examples I could find for it make use of the msal.js library to authenticate users with Microsoft Azure Active Directory accounts. But i need to achieve this without using any libraries. How do I proceed with this?
How and where in the activiti-UI do i need to put in the code to hit the following URL given in the steps
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=id_token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=openid&response_mode=fragment&state=12345&nonce=678910
Any examples on this would be of great help!!
Thanks in advance!
For the doc you choose, it does not use a library.
To refer to this doc, your app is required to be registered in the v2 endpoint, like Application Registration Portal or app registration(preview) in Azure Portal. And you also need to enable Allow Implicit Flow for the Web client.
Send the sign-in request in your browser:
https://login.microsoftonline.com/{tenant-name}/oauth2/v2.0/authorize?
client_id=your application id
&response_type=id_token
&redirect_uri=your application redirect urls
&scope=openid
&response_mode=fragment
&state=12345
&nonce=678910
The response like this:
By this, you could get the id_token for the sign-in user. If you want to get the access_token, you need to replace openid in the scope with the resource url with the format(like microsoft graph: https://graph.microsoft.com/User.Read), and replace the id_token with access_token in the response_type.
The access_token response like this:
If you want to parse the token, you could use jwt.io.
This url uses one of the azure active directory I can access. Unfortunately, it's not the good one. How can I change this behavior to point it to the good one or to give me the choice after login ? Changing the directory in the Azure Portal Subscription Filter doesn't work.
I would prefer a solution that works without changing the url (I will have to use Skype for Business Online Application Registration Portal and I have the same problem with it).
If I understand you correctly you want to use the OAuth2 authorization endpoint specific to your tenant. In order to get the authorization token specific to tenant you need to simply write :
https://login.windows.net/{yourtenantname}.onmicrosoft.com/oauth2/authorize?api-version=1.0
or
https://login.windows.net/{tenantid}/oauth2/authorize?api-version=1.0
Please refer to this blog for additional details.