I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}#{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin#{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a
difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup
federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!
Related
We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.
Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.
What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?
Thanks for posting your query. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).
For Microsoft Social accounts Azure B2C would suit your requirement.
On Auth0 Admin Console:
Create a web application in Auth0
Copy the client ID and secret
Add a callback URL from your B2C tenant in given format: https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp
Copy the “OpenID Configuration” URI from advance setting.
On Azure B2C tenant:
Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
Input “OpenID Configuration” URI you copied in above step to Metadata URL.
Similarly add client ID and Client secret you copied from Auth0.
Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.
Thanks
I've gathered the following insights since posting my question
Summary
Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts"
See guide of different app types here
Details
Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from Mavric20
I'm currently trying to implement openvpn server authenticated with keycloak.
This part is actually working well with user added in keycloak but now I want to authenticate my openvpn user with azure AD.
I made the configuration to be able to authenticate user with keycloak and azure AD has identity provider so this part work well but not I want to conbine both
I would like that my user will be authtenticated with azure AD throw keycloak when they execute OpenVPN client.
I have 1 realm. The account clients work properly with Azure AD and I have a Clients for OpenVPN but How to link both
• As per the described query, you want to authenticate with Azure AD through Keycloak while connecting with OpenVPN client. Thus, accordingly, you will have to configure the VPN client for P2S OpenVPN protocol connection in Azure AD first. For that purpose, kindly follow the below documentation link which describes the steps to be followed for registering and configuring ‘Azure VPN’ as an application in Azure AD and further configuring the VPN configuration settings on it as well: -
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-point-to-site-azure-ad
• Once, the above-mentioned steps are done as stated, then you will have to register an application as a client service principal in your Azure AD, create a client secret for it and register the same in keycloak administration console as mentioned in the below link. This will ensure that your keycloak integration with Azure AD is complete and working fine as well as the authentication for your Azure AD users through keycloak is possible over OpenVPN client such as Azure VPN client.
https://blog.hcltechsw.com/versionvault/how-to-configure-microsoft-azure-active-directory-as-keycloak-identity-provider-to-enable-single-sign-on-for-hcl-compass/
The above document states for ‘HCL Compass’ as the target application to be connected via keycloak via Azure AD identity but you can configure the same as per your own SaaS application to be integrated.
I have a php application that I want active directory users to be able to login to using azure sso. Getting this working with simplesamlphp was really easy.
Now I am trying to allow non organization users to be able to login as guests.
I updated azure AD to allow external entities, and then created a workflow allowing AD users, microsoft.com accounts and one time password. I have enabled "guest self-service signup" and I have associated this user flow with my azure application however the authentication flow hasn't changed at all. There isn't any option for guests to login. Am I missing something? I am using the azure ad federation metadata document xml in the simplesaml metadata converter and using the output of that for my metadata provider in simplesaml.
Here is the screen a user gets when trying to sign in to azure:
We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.
We are developing a SaaS web application with an Angular UI front end and my login works just fine with the users I have added in my Azure Active directory as well as users from any other Azure AD using it's consent framework and everything is sweet.
What I now need is to allow users to login using ADFS of other organization which does not have any Azure Active directory. Which is the best solution for this?
For a test, I created a local active directory in a VM and federated it using ADFS. Let's say otherorganizationdomain.com is the doman. Even though I can access the login page directly using the URL I got during my ADFS set up, but when I typed that domain name(xxx#otherorganizationdomain.com) in my multi tenant app's login page it is not getting redirected to the login page of my ADFS where as other login continues to work fine.
I have a multitenant web app in the Azure AD. What I would ideally like to happen is when I type xxx#otherorganizationdomain.com I should be redirected to their ADFS login page and comes back with the claim just like how it works with Azure Active Directory. Am I trying to do some thing which can't be achieved?
You could federate ADFS as per ADFS : Using Azure AD but Azure AD is always the IDP which isn't what you want.
You could use AD Connect and sync. the users up but that is normally designed for users in the same forest. This is the way O365 works. Federated domains redirect to ADFS.
Or you could use AzureAD Pass-Through Authentication and Seamless Single Sign-on.
This uses your local DC but not ADFS.