I've a Azure AD registered web application built with ASP.Net Core and using OpenId Connect and cookies authentication and ADAL.
My web app only supports authentication against Work accounts.
I just noticed on the AAD login page that it says - "Work or school, or personal Microsoft account".
Can I indicate to AAD that the prompt should only say - "Work or school account".
Thanks, Donal
You can use the msafed parameter. Add the following to the query string:
msafed=0
Now users can only sign in with a "work or school account", i.e. an Azure AD account.
Related
We have a .Net 6 website that integrates with Azure AD B2C using OIDC. Login and registration for the website are defined in custom policies in the Azure AD B2C tenant. Azure AD B2C returns a claim that we use for user creation and login for existing users.
The client would like the website to integrate with another platform that supports SAML SSO to Azure AD B2C. Basically, if users are signed in to the website, and by extension signed into Azure AD B2C, and they click a link on the website to take them to the other platform then the user should be signed into the other platform.
My question is if we can mix OIDC and SAML in the custom policies so that logging into the website logs the user into the other platform or does it need to be either OIDC start to finish or SAML start to finish.
I have looked into the Microsoft documentation and it explains how to integrate Azure AD B2C with either OIDC or SAML but I couldn't find anything related to integrating Azure AD B2C with separate platforms that use different protocols.
Any help is greatly appreciated.
I am not sure if understand your use-case correctly - are you trying to onboard external partner as identity provider? And their identity provider uses SAML2 protocol?
If yes, you can look at this official page - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy
Basically you need to use custom policy. In a nutshell, custom policy orchestration flow redirects to identity provider, user authenticates with its own credentials. If successfully, the idp issues SAML token, redirects back to B2C.
And then you can process/transform those claims in SAML token, even create reference/federated user in your b2c (add your own attributes/claims in B2C user management portal) and send claims as JWT token back to your app.
Peter
I've been working on authentication and authorization within ASPNET Core. I'm familiar with setting up OpenID Connect on my own Azure tenant (such as this this example).
I'm also aware of how to register an client ID and secret on platforms such as Google (such as this example).
But what's confusing to me is that is how to setup OpenID connect to allow for a user to sign in with their own Microsoft account, regardless of whether they're created their own account through https://signup.live.com/ or signing in from their own Office365 subscription.
Is this possible? Or is OpenID Connect (for Microsoft) registrations only supported separately in each Azure AD tenant?
When you register the Azure AD app, select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
Keep common as the "TenantId" in your appsettings.json file, which will allow both AAD account/O365 account and personal Microsoft account to sign in.
I am trying to integrate the Sign-In functionality of Microsoft. I have registered my app in Azure Portal and My requirement is to give authority to any end-user (MS Account holder) to sign-in into my app and get the Access Token, so as per documentation i have set the client Id, Redirect URI, Tenant-ID to "Common", but its not allowing the personal MS account holder to sign-IN. Its giving below error:
"You can't sign in here with a personal account. Use your work or school account instead."
Can anyone help into this?
You should register the Azure AD app as this type: Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts.
If you want to modify the exist Azure AD app to make it support personal account login, you could modify the manifest file, setting AzureADandPersonalMicrosoftAccount as the value for "signInAudience".
See reference here.
I've got an existing MVC5 application that uses Forms authentication. Half of my users are internal employees that also exist in Azure AD. I'd like to give them the option to authenticate against AD but I don't want the other half to have to go through AD. All of the examples I've seen of using Azure AD authentication seems like an all or nothing thing.
Can't I just add a button to my login form for the AD users to go to the Azure login and get redirected back with a token? My other option is if they are an Azure user, take their email/password from my login form and try to connect to AD with it. This seems like a risk as I'll have exposure to their actual network credentials.
I haven't completed it yet but I've gotten far enough in that this feels like the solution to me. I'm going to add a link to my login page for Azure AD users that points to the AD OpenID url as defined here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-openid-connect-code/
The id_token that I get back identifies the user after it's unpacked as detailed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-tokens/#validating-tokens
In my case there is already an existing tenant of an organization. We are supposed to use that AAD tenant for authentication purpose since it already has the users needed to authenticate. Howeever I do not have the Global admin rights on that AAD tenant. I can create an application on that AAD tenant. I have also created a website that uses that AAD tenant to authenticate. When I run the website in browser, it redirects to a login page. I am able to authenticate myself of that AAD tenant and can see the home page of the website. But, when my colleagues try ot login using the same url for the website, it redirects to a login page, however when they enter username and password it gives the following error:
"AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."
Kindly suggest a solution for the issue.
Note: I am using VS 2013 for this project.
#Juan: Finally figured out the solution. You need to request the global administrator of the Azure AD to enable WS Federation for your application on the respective AD tenant.