we're currently using the office 365 api but we're a little bit stuck in the oauth process. On the target platform we have no access to a browser, which cause the main problem using the oauth procedure.
Does Microsoft offer other kinds of authentication like Limited Input Device Authentication like google does? Or are there any alternatives, when no browser is available?
Thanks a lot!
Yes, there are ways to do it without a browser, depending on your scenario. If you're looking to prompt the user yourself for username/password, you can pass those directly via ADAL. For example, here's how to do it using the ADAL for Node.js: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/sample/username-password-sample.js
The trick when you do this is that there must be user consent already recorded in Azure AD. Because this bypasses the user consent screen, it has to be "pre-consented". One way to do this is to have the organizational administrator register the application in their own Azure AD, which by default consents for all users in the org.
Another approach would be to use the client credential flow. In this scenario, the administrator consents once for their entire organization, and the app then has access to all mailboxes in that org.
Related
I have to read User emails (particular subfolder), One Drive, Team Channels and Sharepoint after some regular intervals at the background using Microsoft Graph API but not without having the user consent which should be taken only once when they logged in to the web based application first time and not afterwards. I am not sure where to start from and how this can be achieved? Should the token be stored forever in some database securely OR Is it the AAD?
Would really appreciate any pointers/APIs/Libraries/concepts or links which can help in moving towards this direction.
If you want to get the token without user, client credentials flow can be used. The flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.
In the client credentials flow, permissions are granted directly to the application itself by an administrator. So it is necessary to use the application permissions. You could call Microsoft Graph API with the access token.
For example, call this API to get message:
You need to add one of the application permissions to API permission(navigate to Azure Active Directory-> your application), and click grant for your tenant.
I wanted to know if there is a way for a custom developed web app to tell if an Azure AD SSO also had MFA. Ultimately, I'm trying to block access to a website if there was no MFA during the SSO process. I would essentially be creating a multi-tenanted application. Their documentation doesn't offer anything in this regard, and I know that MFA status isn't available via Graph yet, so I can't check if the user even has it enabled or enforced yet. Thanks!
What tokens are your web app receiving? For example with JWT tokens the amr (authentication mechanism reference) claim can be checked for the MFA claim. See https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
I'm building a web portal where my customers can log in - pretty standard stuff.
Now I would like my customers to log into the portal by using their "own credentials".
The optimal solution would be that users could use one of the following:
Office 365
If they have O365 then just sign in with their own credentials. This scenario is covered by the OOTB VS template
On-premise ADFS
If the customer has an on premise ADFS then they should be redirected to that to sign in. (I know this needs configuration for both parties, buts that's ok)
None of the above
The customer does not have any of the above and therefore need a "local account". In this case I would like to use Azure AD B2C to store the credentials.
I can do all of the above, but I have never tried to do it all together in one site.
Therefore, is it at all possible and how should I be constructed?
And how would the login experience be?
I'm using OWIN.
Any advice would be helpful.
Thanks!
When you say "local". you mean in AAD?
Azure B2C allows non-federated (i.e. don't use ADFS) users to provision and then authenticate themselves.
However, such users are "outside" of the normal authentication flow and cannot use ADFS or have O365 licenses.
In terms of ADFS and O365, you need to set:
Convert-MsolDomainToFederated
as in Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365.
In future Azure AD B2C will add the ability for users to login using their 'Work Accounts'. Those are the accounts used for O365. If the respective tenants have setup federation with Azure AD, ADFS federation will also work.
Meanwhile, the old work around for you to get it to work is to have your application
1. handle multiple tokens. [Azure AD, Azure AD B2C, ADFS or other federations] by implementing each federation to get the tokens.
2. implement the idp selection screen on the application and federate to appropriate party.
Context
I'm building a web application deployed to Azure Webapps where users need to sign in. To accomplish this, I'm leveraging Azure AD with OAuth 2.0 Authorization Code Grant. Since I'm using Nancy (with the ASP.NET host) instead of MVC, I can't follow the official Azure AD MVC examples where all the OAuth handling seems to happen magically in the background.
Redirecting to the OAuth endpoint is straight-forward, and the user is also correctly redirected back to my application with an authorization code.
Problem
Now I need retrieve the user ID in order to match it to the user database in my application. I'm using ADAL for this, because this is basically step D & E of the authorization code grant flow, from what I understand.
Now what puzzles me is that this use case is not supported by Azure AD, stating that
The client '[ClientId]' and resource '[ResouceId]' identify the same application.
Also, as indicated by this answer, "ADAL is not meant to achieve web sign-on in a web application."
I've been able to work around this problem by creating two applications in Azure AD, as suggested by this blog, but it feels like I misunderstood something. This could very well be the case, as I am new to OAuth and Azure AD.
So my question is, what is the correct way to authenticate a user from a non-MVC web application using Azure AD?
the OWIN middleware should work with non-ASP.NET as well. See for example http://unlustrously55.rssing.com/browser.php?indx=24287735&item=13 - in your case you will have to use the OpenId Connect one or the ww-federation one.
Is this purely for users inside your organisation/tenant? It sounds like it.
Why don't you use an App Registration in Azure AD and grant it permissions to access the users profile? You should then be able to retrieve a user's UPN from the token. Please see here:
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service
We are trying to build an ASP.NET MVC 5 web application where two types of users can log in. We have some clients who use Google apps and others use Office 365. Here we already know which client use what service.
The way users login to our website should be as follows:
User sees a page where user has to select their company name from a drop-down.
Depending on company name the user choose, s/he should be redirected to that particular SSO login page.
After authentication, the user shall return to our website, and be considered as authenticated.
Depending on the service they use, we are also planning to leverage their apis, like Calender, Notes, etc.
I searched a lot but found nothing/irrelevant in this regard. Please help.
If you want to implement this on your own, here are some tips from my experience:
Office365 (which is based on Windows Azure Active Directory): speaks a protocol called Ws-Federation with SAML tokens. To this moment, there are libraries for various platforms and languages.
Google Apps, is easier to Office365 since you have to use plain Google OAuth. One thing that might help you is that you can force the domain of Google Apps when doing the authentication by using the querystring parameter "hd" like "?hd=x.com". See this answer and the comments.
What you are trying to do it is not impossible but it requires some work and understanding all the protocols.
Another option is to use an authentication broker like Auth0. Your application sees auth0 as an OAuth provider and you can connect to your customers Google Apps and Office 365 from the dashboard or from an API which means that you can easily automate on-boarding customers. After you create the connection Auth0 will give you a link that you need to give to your customer so they can grant consent to your app to use their directory. From the client side perspective, you can achieve the combobox UI you describe by using auth0.js as follows:
var auth0 = new Auth0({
//settings provide by auth0
});
var combo = $('#company-combo');
//loads the company combobox directly from auth0
auth0.getConnections(function (err, connections) {
connections.forEach(function (c) {
$('<option>')
.attr('value', c.name)
.text(c.name)
.appendTo(combo);
})
});
//trigger login
$('.login').on('click', function (e) {
auth0.login({
connection: $("option:selected", combo).val()
})
});
Once the user logins, your application will get a profile. This profile has a property that indicates the connection/company.
Auth0 also provides an unified API to query/search users, in these two cases it uses the underlying directory but you get again the same profile representation.
Disclaimer: I work for Auth0.
You can use Windows Azure Active Directory ACS as a broker. From MSDN: Windows Azure Active Directory Access Control (also known as Access Control Service or ACS) is a cloud-based service that provides an easy way of authenticating and authorizing users to gain access to your web applications and services while allowing the features of authentication and authorization to be factored out of your code. Instead of implementing an authentication system with user accounts that are specific to your application, you can let ACS orchestrate the authentication and much of the authorization of your users. ACS integrates with standards-based identity providers, including enterprise directories such as Active Directory, and web identities such as Windows Live ID (Microsoft account), Google, Yahoo!, and Facebook.
This blog provides details steps on how to set up ACS.
This article explains how to use ACS in ASP.NET MVC.