We have various applications and each have its own user table. We are looking at the possibility of using Azure AD as a central authentication/authorization provider. Can Azure AD use our existing user tables when it does authentication/authorization? It seems we can import those users into Azure AD, but what if we just want to use the existing user tables, is there a way to do that? Thanks.
No, this is not possible in normal Azure AD.
It is possible to wire up your own claims provider to Azure AD B2C with custom policies.
But if you want to use your own store, you should probably just implement IdentityServer or similar yourself.
As Junnas said, we can't use custom database directly.
As a workaround, we can create on-prem Active directory and import your users to it, then install Azure AD connect to sync your users to Azure AD, in this way, the user name and password will store in your local Active directory, and Azure AD work as a authorization provider.
Hope this helps.
Related
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
We need to move users from an on-premise Active Directory on Windows Server (not Azure Active Directory) to Azure AD B2C. But, we're having difficulty in trying to figure out how to read the user data from the AD using Azure products.
We're thinking about using one of the following Azure products to read from on-premise AD, but it's surprisingly difficult to find if this is possible or not, much less how to do it:
Azure Data Factory
Azure Logic App
Microsoft Power Platform Dataverse (formerly Common Data Service)
Power BI Data Flows
Note: We can't use Azure AD Connect to migrate the users because that tool isn't designed to work with B2C. Reference Microsoft's Azure AD B2C: Frequently asked questions (FAQ).
The Microsoft article Migrate users to Azure AD B2C says that a script needs to be written that uses the Microsoft Graph API to create user accounts in Azure AD B2C. But the article doesn't give advice on how to access the source data, which in our case is AD.
There is no out-of-box Azure product/solution that connects to on-prem AD. Maybe there is a way which requires you create custom connector and custom API for querying AD users. See this post.
The quickest way is using PowerShell cmdlet Get-ADUser to export the AD users and then import them into Azure B2C via Microsoft Graph Create User.
Is it possible to manage users and groups using Terraform?
Operations such as MFA, user-types, Authentication methods, Registration, notification, User settings, group settings, and Device settings.
Is it possible to manage users and groups using Terraform?
Yes, you can use Terraform to integrate with Azure AD and manage users and groups in Azure AD. At the same time, Terraform supports a number of different methods for authenticating to Azure AD.
Please see:here.
I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}#{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin#{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a
difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup
federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!
How do I migrate an existing OU-structure from the old AD to the new Azure AD?
I have been trying to configure the Azure AD Connector Synchronization Tool for this but without success. Not sure what configuration it is supposed to have.
Anyone know? Thanks.
Do you mean the “old AD” is on-premise AD? In some ways, Windows Azure AD is an extension of the on-premise Active Directory, but not all features available in Azure AD. Azure AD does have a domain name, it does contain users and groups. It contains Service Principals, like on-premise AD, that represent applications. But there is no tree of domains, no trusts between domains or forests. Indeed there are no forests, no Group Policy, no OUs.
If you want to create OU, please try Azure AD Domain Services which supports to create custom Organizational Units and group policy in some limited way.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-features/