I have a multi tenant app registered on Azure Ad, and each time a user logs in I want to get all the users of the organization. I configured the app in my code and on Azure
My .net-core app with azure and
ms graph authorizations
So when someone logs in it asks for "read" permissions. Now I want to get all users of a specific tenant, I tried first on Postman
to get the access token and
get users with the token
it worked for this tenant because it is the app owner on Azure, but when I try with another tenant which is using my app, it doesn't work.
I got the access token for another tenant and then
I have an error
I'm a little bit confused, is it the right way to do that or did I miss something ?
EDIT : It works if someone of the other tenant grant admin consent here on Azure Ad, it adds Application Permissions but I don't want to do it on Azure but on the App
Related
I have Auth0 configured with Social Connections > Microsoft Account.
This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
When I log in through my app, I can authenticate successfully using my personal account eg. blah.blah#gmail.com
However, when I try to authenticate with my work account blah.blah#myawesomecompany.ai, which is managed with an Azure Active Directory, it fails with
"That Microsoft account doesn’t exist. Enter a different account or get a new one.":
I thought given the Microsoft settings it would allow it connect.
How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?
Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?
Is there a way to configure this without having to upgrade to Auth0 Enterprise?
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.
For sample I used the below endpoint to authorize the users:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I tried to sign-in with the personal account, the user logged in successfully like below:
And now I tried to login with other tenant user like below:
By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.
To limit the feature to specific companies AAD, check this blog.
Auth0 Enterprise is required to authorize tenants to the Azure AD Application.
For more in detail, refer below MsDocs:
Use tenant restrictions to manage access to SaaS apps - Microsoft Entra
Multi-tenant application with a whitelist on tenants authorized by Marshaljs
Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).
Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like user#tenantA.onmicrosoft.com to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.
If you want users in tenantB to sign in your app with account like user#tenantB.onmicrosoft.com, then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, user#tenantB.onmicrosoft.com can sign in this application.
When creating ASP.NET Core web app, if you use Azure AD for authentication, is it possible to store user info in your app database? And if so, is there a best practice approach to doing this?
I'd like to store user role info in my app's database; I know you can use AD groups but
(a) I'd like to be able control this from within the app and
(b) I don't know if I have permissions to create new groups in my company's Azure AD.
yes, you can. After authentication with Azure AD, you can get userinfo from ID token if you are using OIDC. Then you can store the userinfo in your app's local database.
For (a), you wanna control user role in your app which used to edit in azure portal. Then you may take microsoft graph api user role into consideration. You may check the link if this api is what you need.
(b) create new groups, this can achieved by this api.
Calling microsoft graph api required an azure ad application which can be assigned api permission by admin, then it can be used to generate access token to call the api.
Hi I am working on Angular SPA and web API core. I am trying to implement authentication and authorization. I have done as below for now.
Registered one application for my front end application and added required redirect uri and modified manifest file to enable implicit flow. Also assigned some of the roles to it.
Registered one more application for my back end. I added scope in the form api/clientid. Then added client application id which is created in step 1.
User is successfully able to login to application.
Now my JWT token has roles in claim. In my API I have added [Authorize(Roles = "Engineers,Admins")]
So If user has any role Engineers or Admins in the JWT token as claims then they are allowed to access my API's
So far my authorization works fine. But coming to authentication part, currently all users of my azure AD tenant able to do login(User can hit my front end url and add user name and password then It will ask MFA and they will be landed in application home page).
If user is part of any of the roles above then only they can see data in home page because in home page I am calling some of the API's and I have added [Authorize(Roles = "Engineers,Admins")].
If suppose user is not part of above role they are still able to login (login means they are able to add user name and password and MFA) they will be landed in home page but they cannot see any data because api will be accessed only if they are part of Engineers,Admins roles.
My question is If user is not part of Engineers,Admins roles why they are able to login and come to home page. They should be restricted in Login step itself.
I am not really sure I am asking right thing here or I only confused my self between authentication vs authorization.
Currently I am doing authorization based on roles. Same thing I can accomplish using Groups also. In claims I can return groups and create policies and do the authorization. If user is part of the group then I can authorize. I am trying to understand what advantage I will get using roles over the groups.
Currently I have dev, prod and non prod environments. But Azure AD is universal and for there is no environment for azure AD. So Is it a good idea to have separate application registered in azure ad between the environments or can I use same app registered in azure AD between the environments. If I create separate application for each environments what advantage I will get?
I am really trying to understand above concepts and can someone give me some insights on the above things? It will be really helpful to me If someone help me to understand this concepts. Any help would be greatly appreciated. Thank you
I have an ASP.Net MVC web application that connects to an azure sql database. I have an account set up on that database using my AAD login. When I run locally (localhost) the web application loads fine and my credentials are authenticated successfully and I am able to query the database. When i publish the application to an app service on the cloud i am unable to authenticate on the database.
I followed this tutorial https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi initially, which I understand authenticates as the app itself once published (I've proved this by registering the app to AAD and adding the Application API login to the Database)
What i really want is a way to authenticate as the user of the app not the app itself - i.e. An Azure version of Kerberos which we currently use for our on-prem applications
Given you have understood how the AAD Authentication works in Azure SQL DB, and you have successfully configured MSI to authenticate with Azure SQL DB, here is what you need to do to authenticate individual user accounts in Azure SQL DB using AAD.
Register an application with your AAD (https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
Under API Permissions add one more permission -> Azure SQL Database
Select Delegated Permissions -> User impersonation
Create a new security group in your Azure SQL DB
Grant that security group permissions to your SQL DB instance (https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure#create-contained-database-users-in-your-database-mapped-to-azure-ad-identities)
Also add the application to the SQL DB as external user (the same way you add the security group)
When you sign-in your users to your application, request an access token for Azure SQL DB using resource=https://database.windows.net in your authorization request.
Use the access token to access the database in the context of the signed-in user: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure#azure-ad-token
If you successfully completed all the steps you shall be able to sign in to the database using AAD access_token with security context of a signed-in user.
But the question is - do you really want to do that? This only makes sense if you are taking data authorization decisions inside your database. And really configure user accounts within the database.
I'm writing a web application and I want to get all users using Azure Graph API. Which permissions are required. Does admin have to consent?
At the very least, your application would need Read Directory Data permission that you will setup in Azure Portal when configuring your application.
Does admin have to consent?
Yes, the admin would have to consent.