Azure AD Authentication on Third Party AD Tenant - authentication

In my case there is already an existing tenant of an organization. We are supposed to use that AAD tenant for authentication purpose since it already has the users needed to authenticate. Howeever I do not have the Global admin rights on that AAD tenant. I can create an application on that AAD tenant. I have also created a website that uses that AAD tenant to authenticate. When I run the website in browser, it redirects to a login page. I am able to authenticate myself of that AAD tenant and can see the home page of the website. But, when my colleagues try ot login using the same url for the website, it redirects to a login page, however when they enter username and password it gives the following error:
"AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."
Kindly suggest a solution for the issue.
Note: I am using VS 2013 for this project.

#Juan: Finally figured out the solution. You need to request the global administrator of the Azure AD to enable WS Federation for your application on the respective AD tenant.

Related

How to configure Auth0 to authenticate with other companies Azure Active Directory?

I have Auth0 configured with Social Connections > Microsoft Account.
This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
When I log in through my app, I can authenticate successfully using my personal account eg. blah.blah#gmail.com
However, when I try to authenticate with my work account blah.blah#myawesomecompany.ai, which is managed with an Azure Active Directory, it fails with
"That Microsoft account doesn’t exist. Enter a different account or get a new one.":
I thought given the Microsoft settings it would allow it connect.
How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?
Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?
Is there a way to configure this without having to upgrade to Auth0 Enterprise?
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.
For sample I used the below endpoint to authorize the users:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I tried to sign-in with the personal account, the user logged in successfully like below:
And now I tried to login with other tenant user like below:
By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.
To limit the feature to specific companies AAD, check this blog.
Auth0 Enterprise is required to authorize tenants to the Azure AD Application.
For more in detail, refer below MsDocs:
Use tenant restrictions to manage access to SaaS apps - Microsoft Entra
Multi-tenant application with a whitelist on tenants authorized by Marshaljs
Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).
Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like user#tenantA.onmicrosoft.com to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.
If you want users in tenantB to sign in your app with account like user#tenantB.onmicrosoft.com, then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, user#tenantB.onmicrosoft.com can sign in this application.

Issue in Add sign-in with Microsoft to an ASP.NET Core web app

I am trying to integrate the Sign-In functionality of Microsoft. I have registered my app in Azure Portal and My requirement is to give authority to any end-user (MS Account holder) to sign-in into my app and get the Access Token, so as per documentation i have set the client Id, Redirect URI, Tenant-ID to "Common", but its not allowing the personal MS account holder to sign-IN. Its giving below error:
"You can't sign in here with a personal account. Use your work or school account instead."
Can anyone help into this?
You should register the Azure AD app as this type: Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts.
If you want to modify the exist Azure AD app to make it support personal account login, you could modify the manifest file, setting AzureADandPersonalMicrosoftAccount as the value for "signInAudience".
See reference here.

Azure AD login page prompt

I've a Azure AD registered web application built with ASP.Net Core and using OpenId Connect and cookies authentication and ADAL.
My web app only supports authentication against Work accounts.
I just noticed on the AAD login page that it says - "Work or school, or personal Microsoft account".
Can I indicate to AAD that the prompt should only say - "Work or school account".
Thanks, Donal
You can use the msafed parameter. Add the following to the query string:
msafed=0
Now users can only sign in with a "work or school account", i.e. an Azure AD account.

Mixing Azure AD authentication with Forms authentication

I've got an existing MVC5 application that uses Forms authentication. Half of my users are internal employees that also exist in Azure AD. I'd like to give them the option to authenticate against AD but I don't want the other half to have to go through AD. All of the examples I've seen of using Azure AD authentication seems like an all or nothing thing.
Can't I just add a button to my login form for the AD users to go to the Azure login and get redirected back with a token? My other option is if they are an Azure user, take their email/password from my login form and try to connect to AD with it. This seems like a risk as I'll have exposure to their actual network credentials.
I haven't completed it yet but I've gotten far enough in that this feels like the solution to me. I'm going to add a link to my login page for Azure AD users that points to the AD OpenID url as defined here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-openid-connect-code/
The id_token that I get back identifies the user after it's unpacked as detailed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-tokens/#validating-tokens

Access user accounts from a domain

I have developed and published a simple Marketplace App needing access to all members of a domain. I followed the Google Instructions (see http://goo.gl/XvczDQ) and created a service account (for domain-wide delegation of authority). Everything is working if I access the users from my own company / domain.
But it is not clear to me what happens if an administrator from a different company installs the app from the Google Marketplace. How can I access the users in the client's domain and how works the service account approach there? What are the further steps?
I figured it out myself. Provided that the service account is correctly configured with the required scopes: All you have to know is the client's administrator email and the domain. Usually you can get this with the setup url in your marketplace app.
Then you have to set the service account user to the administrator's email before you request an access token. That worked for me.
When the admin installs the app, he grants you the authorization to use the service account to impersonate his users.
You can also list the users using the Directory API if you need the complete list of users. Note that you will need to have the relevant Directory API scope in your marketplace app configuration and you will need to impersonate an admin user.