I've been setting up a test Azure AD service on Azure and a multi tenanted MVC app that uses it.
When trying to create a new user using the Azure AD Graph Client, errors about the UserPrincipalName being invalid started to appear. Once I changed the email address to one that matched my domain in Azure, everything worked and I could programmatically create new users.
However this isn't really what I need. I would like users to be able to register with the system using their own email address as the user name (their email address could be anything). Have I hit a brick wall regarding what is possible using Azure AD, is this an inbuilt restriction (design feature) or am I missing something?
Does anyone know how I can use Azure AD and have user's use their own email address as their user/login name?
Related
Are Azure Active Directory app roles only supported for accounts in the same tenancy?
I am trying to use Azure Active Directory to authenticate users both on my tenancy, others, and social accounts, and be able to manually assign different app-level roles.
What I would like:
Users would sign up using any of these methods, and I would see them in the 'Users and groups' blade of the Enterprise Application in Azure portal (or I could invite them). I would assign app roles (roles specific to my app, eg engineer/technician/residential user) via the 'Add user/group' button.
When logging in to my app, I retrieve the app roles via idTokenClaims.roles[]
What happens instead:
This works fine for user accounts already in my Azure tenancy. But for other Microsoft accounts (eg theirname#outlook.com or MS accounts created with any email address), the user doesn't appear in Azure portal after logging in unless I manually invite them. After inviting them (and accepting the invite), I see a user like theirname_outlook.com#EXT##mytenancy.onmicrosoft.com. I can assign app roles to this user, but their idTokenClaims.roles[] is not returned.
Other social accounts (eg Twitter, facebook) seem to not be supported at all
What else I tried
I also investigated AD B2C, which gives the developer more control over the login flow, and supports other social accounts other than MS (which looks good), but it seems that doesn't support app roles at all.
Am I trying to use the wrong tool for the job?
All I want to do is support any user to sign up to my app, and for an admin to set what their app-specific roles should be.
Update
I am using the MSAL auth library, following the instructions
https://login.microsoftonline.com/Enter_the_Tenant_Id_here should be one of the following:
If your application supports accounts in this organizational directory, replace this value with the Tenant ID or Tenant name. For example, contoso.microsoft.com.
If your application supports accounts in any organizational directory, replace this value with organizations.
If your application supports accounts in any organizational directory and personal Microsoft accounts, replace this value with common.
To restrict support to personal Microsoft accounts only, replace this value with consumers.
Because I wanted this to work with any social account, I chose https://login.microsoftonline.com/common. This shows a UI that allows you to use any organisation or personal MS account, or sign up for a personal MS account with any email address. But I noticed the objectId returned for personal accounts is different to the id when I manually invite the account in azure portal. I changed to use my TenantID instead, and that worked. Personal accounts that have been previously invited via portal can log in. Other personal accounts get an error and cant log in. App roles are now returned for these personal accounts. This now partially solves my original problem, but I still have some unsolved issues:
this method shows a slightly different UI that doesn't allow the user to sign up for a new MS account in this flow
I still can't use other oauth accounts eg Twitter/Facebook. Do these not support app roles at all?
the instructions quoted above seem incorrect, clearly it is possible to log in using "accounts in any organizational directory and personal Microsoft accounts" via TenentID, not common, once they've been invited to the app
App roles absolutely support guest accounts. But as you can see, the id token of the guest account does not seem to contain the roles claim, and it is not clear whether this is by design. But the roles claim will appear in the access token.
I think an access token you can be used, and the access token also contains user information.
My application has authentication backed by SAML based Single sign on. The identity provider for the application is Azure AD. The application have different claims/attributes names as compared to what present in the Azure AD. What is the process to map those AD outgoing claims to the fields present in the application?
Assume attribute name in Azure AD is phonenumber and application is expecting mobilenumber in the SAML response during authentication process.
i'm not sure what the docs say there, but i assume it would be similar to what i'm going to say,
you go into the enterprise applications-> choose your app -> go to single sign on -> click edit on claims -> then click add new claim. -> name would be mobilenumber -> namespace.. you can leave it blank or put something random like http://schemas.xmlsoap.org/ws/2005/05/identity/claims -> source attribute -> user.telephonenumber probably.
If I understood correctly,
Generally application requets the claim attribute and may expect a different claim attribute from Azure AD.
For example, application requesting to send phone number and Azure will transform the claim attribute and send it to application.
In this case, you can use claim transformation in Azure AD.
Refer the document for transformation rule.
Still if it not working after following the above scenario, check whether the application is sending the correct request and what Azure AD is responding to application.
Capture the https traffic by using fiddler or any other trace to check the communication between your application and Azure AD.
I'm currently trying to configure Azure Ad for user provisioning in a Salesforce Sandbox. I'm using a personal dev org and a trial Azure account to make this work.
I've been able to map attributes and it works for most of them, except one. ManagerID.
I'm trying to replicate the Azure AD manager information into Salesforce's managerID field using an attribute reference. However it doesn't seem to work.
Has anyone here been completing this kind of setup previously and would be able to point me to the correct Attribute expression to be mapped/referenced on the Azure AD side?
The default mapping is from Salesforce->ManagerId to AAD->Manager, where AAD-> Manager is a reference to User.
The field in Salesforce used for matching is the FederationIdentifier, which corresponds to AAD-> User.userPrincipalName
The logic would be that if I'm doing a reference to the AAD User, I would expect AAD to fetch that manager's UPN in AAD and pass it back to the SCIM interface to be able to match it on the Salesforce side (since it's mapped to the FederationIdentifier).
I'm also trying to force the reference of "Manager" on the AAD side to pick the User.UserPrincipalName but it seems to always bring it back to User.
Anyhow, I'm a bit fishing here and wondering if there is someone with whom I can share the settings in such way that I can compare how it's been done in a successful implementation.
I want to lookup people Name and email address using their ADID/SAMAccountName/UPN from a console app running with its own credentials and not under my account.
How would I do this with Microsoft Graph?
I was following up on https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2 but that seem to require admin access. (BTW is there an easy way to figure out the admin on my company's graph?)
I did lookup LDAP querying but domain limitations limit the search scope ,and would rather do this via Microsoft Graph.
Accessing Microsoft Graph without user credentials (i.e. using the OAUTH client credentials flow) requires Admin Consent for your application. Typically this consent would be handled by your IT department.
I'm struggling with my MVC5 webapp that is hosted on Azure. I need to secure it (of course) but I don't want to let the users create yet another account, with another password they can forget.
So I've looked into Azure Access Control (ACS). It looks nice, but the Identity Providers provided are very limited. I'm missing LinkedIn as an IP for example. Therefore a lot of users will have to create a new account with a company emailaddress. Facebook user typically use their private emailaddress.
So Azure Active Directory looks fine. You can federate with a local Active Directory. But after diving into it, it seems that you cannot create a tenant from you code. So the user must first do thing in the Azure portal, and that is confusing and I want to make things as easy as possible.
What do I need:
authentications of users without storing their password myself
creation of new users by code
be able to federate to a customer's Active Directory (on premise or Azure Active Directory)
user must be able to use whatever emailaddress they're using
Do you have good suggestions to accomplish this?
You can manage users in AAD using the Graph API.
Using DirSync or AADSync, you can propagate your on-premise users to AAD.
User will have to logon on-premise and again in the cloud but using the same credentials. (Same Sign On).
Adding ADFS to the mix gives you SSO. (Single Sign On).
Typically, only the corporate domain can be used for email address.
For other applications, look at: Azure Active Directory applications.