We have business application and currently we are implementing Azure B2C active directory. We will enable 2FA authentication in our login workflow but some of our customers would like to disable 2FA authentication.
Is it possible to Enable / disable 2FA on user level either through console or using Graph api? Our idea is that if it is possible, then we will not make 2FA authentication as part of the sign in workflow but will enable this feature on user profile level
For the built-in flows, MFA is either on for all users or off for all users, so you'll have to create a custom policy that enables an end user (or you as administrator) to opt in to or out from MFA.
A good sample to refer to is the "Sign in with MFA" sample.
As well as offering both e-mail and/or phone MFA, you can add a default choice of "None".
Related
The use case is quiet simple, I want to read and write to calendars on a daemon (backend workflow) from personal Microsoft account or azure AD account.
Then I registered an Enterprise application in Azure Active Directory admin center with:
the account type « Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) ».
permissions on read write on calendars + read on user
a generated client secret
a redirect uri
For all accounts from the same Azure Active Directory, the authentication with the client secret and the impersonation of the targeted email works well.
But for personal Microsoft accounts it is not. If I understood correctly I need to use the client credentials flow to grant the user. Then the user need to go on the admin consent url as explained: https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>&state=12345&redirect_uri=<redirect_uri>.
But when logging in with a personal account it results in a redirection to the specified redirect uri with the error:
AADSTS500200: User account '{EmailHidden}' is a personal Microsoft account.
Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization.
Try signing out and signing back in with an organizational account.
Research
I tried some solution of the error AADSTS500200 with this article: https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/azure/active-directory/error-code-AADSTS50020-user-account-identity-provider-does-not-exist.md (note that the error number is missing a last zero). But I still receive the same error or an other error Needs admin approval when the personal account is invited.
Needs admin approval (french only)
Question
Is it possible to read data on personal Microsoft account ? How to achieve this ? Is there any other way ?
It is not possible to use Microsoft personal accounts with the client credentials flow.
The solution is to use the authorization-code flow and use the scope offline_access during the authorization request and the token request. So that the refresh_token that can be used to regenerate new refresh_tokens.
I want to enable permissions for a particular user using password grant type.
But that user is MFA enabled as per my tenant policies.
Is it still possible to generate access token for that user from behind a service for only delegated permission ?Thank you
Aarushi
There is a good post from a few years back on why not to use ROPG, one of which is that it will only ever support a single form of login (not MFA):
Resource Owner Password Grant Problems
OAuth 2.1 will Drop Support for ROPG
Maybe if you explain your requirements we can suggest a solution that uses a more future facing flow ...
I'm investigating IdentityServer3, and I'm wondering if there is built in support for a specific scenario that I'd like to implement. The flow is as follows:
User signs into IdentityServer, using Identity1 and is issued access
tokens for our application.
User navigates to a "Link Identity" Page,
where they can choose to link an identity to their account
While signed in with Identity1, the user enters credentials for Identity2
to prove that they own Identity2
Using the Identity2 information, my application links the two accounts
to the same account.
Is this type of account linking supported OOTB with IdentityServer3, and if so, which features should I use.
If not, any advice on how to proceed? The main challenge that I'm unsure how to pull off using IdentityServer3 is handling the "double sign in" (e.g. authenticating as Identity2 while already signed in as Identity1)
All account management functions (registration, password reset, account linking, etc) are all specifically not the job of IdentityServer. This is something you'd need to build into your own application (which would commonly be a client application to IdentityServer). This client application would simply need to be able to update the database that is being used by IdentityServer for its authentication and profile data.
I'm building a web portal where my customers can log in - pretty standard stuff.
Now I would like my customers to log into the portal by using their "own credentials".
The optimal solution would be that users could use one of the following:
Office 365
If they have O365 then just sign in with their own credentials. This scenario is covered by the OOTB VS template
On-premise ADFS
If the customer has an on premise ADFS then they should be redirected to that to sign in. (I know this needs configuration for both parties, buts that's ok)
None of the above
The customer does not have any of the above and therefore need a "local account". In this case I would like to use Azure AD B2C to store the credentials.
I can do all of the above, but I have never tried to do it all together in one site.
Therefore, is it at all possible and how should I be constructed?
And how would the login experience be?
I'm using OWIN.
Any advice would be helpful.
Thanks!
When you say "local". you mean in AAD?
Azure B2C allows non-federated (i.e. don't use ADFS) users to provision and then authenticate themselves.
However, such users are "outside" of the normal authentication flow and cannot use ADFS or have O365 licenses.
In terms of ADFS and O365, you need to set:
Convert-MsolDomainToFederated
as in Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365.
In future Azure AD B2C will add the ability for users to login using their 'Work Accounts'. Those are the accounts used for O365. If the respective tenants have setup federation with Azure AD, ADFS federation will also work.
Meanwhile, the old work around for you to get it to work is to have your application
1. handle multiple tokens. [Azure AD, Azure AD B2C, ADFS or other federations] by implementing each federation to get the tokens.
2. implement the idp selection screen on the application and federate to appropriate party.
I have an ASP.NET MVC 4.6 application and I want to be able to use an application identity to provide access to the Azure Graph API behind the scenes, but I want to use Azure AD users for my applications authentication and authorization.
The end goal is to be able to have a user initially register using Google, Facebook, or enter their own username. During this registration, my application would leverage the Graph API to create an Azure AD user behind the scenes.
Once registered, if the user logs on using Google, Facebook, or their own username, it will look up against the Azure AD users to retrieve groups or roles.
Is this possible, or even a good idea? I'm open to other suggestions. Thanks!
This is possible. Azure AD recently released Azure AD B2C (business to consumer) to public preview. B2C will allow your users to sign up and sign in with consumer identity providers (e.g. Google, Facebook, etc.).
The sign up portion of this creates a special kind of user in Azure AD that has a reference to an identity in the consumer identity provider. The sign in portion of B2C allows users to authenticate with their corresponding identity provider, and that authentication is recognized in Azure AD.
The full documentation starts at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-overview/, and a ASP.NET MVC sample is at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/.
Alternatively, if you want to do you own, off the top of my head, the best you can do is to build a mechanism where you associate a "regular" Azure AD user with the corresponding social identity provider (e.g. maintain a lookup table). Your users would sign in to your app using each identity provider's protocol, and when they've done so, you "artificially" link them to the corresponding Azure AD users. From Azure AD's perspective, however, these users would not actually be authenticated, so at best, you'd be using Azure AD as a place to store users and groups.
Check out the new Azure B2C offering, in preview, which supports the exact scenario you are asking about out of the box.