If I have an Office 365 Business plan, can I build an ASP.NET MVC and authenticate against Office 365 AD? or do I still need to create a separate AD on Azure and connect to it?
If you have an Office 365 account, you have an Azure Active Directory. When signing in to Azure, you'll have to make sure you choose to use your admin organizational account (and sign up for a free trial if you haven't yet done so). Once in the Azure portal, click on 'Active Directory' and you will see that you already have a directory.
Now, as far as MVC web application, check out the Azure Active Directory Samples on GitHub. Also be sure to look at some different scenarios which are documented on MSDN. In particular, I'd recommend looking at the WebApp-GraphAPI-DotNet which is a MVC application authenticating with OpenID Connect against Azure AD, and using this to query the AAD Graph API for details.
(Edit: updated links to new material.)
I would recommend you to get a azure enterprise account and you should federate your users to Azure AD and then register your MVC application with Azure Active directory to get single sign-on capability.
Related
We have a company web-site developed in ASP.NET MVC that currently allows our customers to login using login name and password. These customers are in our SQL Server database. The customers once logged in can use our services.
We would like to authenticate our customers using Azure Multi-Factor Authentication feature.
How can we implement Microsoft Azure Multi-Factor authentication in our use-case ?
Is it required that our website should be deployed on Azure App service.
Thanks,
Gagan
Take a look to this Add sign-in to Microsoft to an ASP.NET MVC web app.
Or
Configure your App Service or Azure Functions app to use Azure AD login for a simplified setup.
You don't need Azure Web Apps to enable MFA, you can enforce MFA using Conditional Access Policies or similar Azure AD features.
You can then add an Id column into your SQL database user table to store the Azure AD User Object Id (which you can obtain from his Azure AD token sub claim) as a reference for future operations.
I’m currently working on application built on ASP.NET MVC which uses Microsoft account (MSA) authentication. To implement a new requirement, during a flow (say on step 2) the application has to validate the user against Azure Active Directory (AAD) authentication for organization account (while MSA login should persist) to grant special privileges and move to step 3.
So during step 2 to 3 navigation, MSA authentication should not be logged out and user can be validated against AAD.
Is it possible to allow have concurrent logged-in via two different identity providers (MSA and AAD)?
It is not possible if you are suing Azure AD v1.0 endpoint. However, you can Azure AD v2.0 end point to implement. This document helps in Comparing the Azure AD v2.0 endpoint with v1.0 endpoint.
To build an app that accepts both personal Microsoft account (MSA), and work or school account (Azure AD) sign-in, you'll need to register an app with the Azure Active Directory (Azure AD) v2.0 endpoint. At this time, you won't be able to use any existing apps you may have with Azure AD or MSA - you'll need to create a brand new one. refer to this document to help on it - Quickstart: Register an app with the Azure Active Directory v2.0 endpoint.
You can also use Azure AD B2C and use custom policy to add MSA as Identity Provider. Refer to this document for details - Azure Active Directory B2C: Add Microsoft Account (MSA) as an identity provider using custom policies.
To access office 365 mails using Oauth, do I need Azure account?
Can't I use normal office 365 or exchange server account to create the application?
With Office 365, an instance of Azure active Directory is automatically provisioned for your O365 tenant. You need to setup an Azure account/subscription to access the AAD configuration via the Azure portal but you do not need to pay anything additional. Your O365 tenant admin will have access to the Azure portal.
To create an application that leverages O365 credentials for authentication, you must register your application with your AAD instance. There's lots of documentation on the Azure docs site, with samples and more detailed guidance.
I'm building a web portal where my customers can log in - pretty standard stuff.
Now I would like my customers to log into the portal by using their "own credentials".
The optimal solution would be that users could use one of the following:
Office 365
If they have O365 then just sign in with their own credentials. This scenario is covered by the OOTB VS template
On-premise ADFS
If the customer has an on premise ADFS then they should be redirected to that to sign in. (I know this needs configuration for both parties, buts that's ok)
None of the above
The customer does not have any of the above and therefore need a "local account". In this case I would like to use Azure AD B2C to store the credentials.
I can do all of the above, but I have never tried to do it all together in one site.
Therefore, is it at all possible and how should I be constructed?
And how would the login experience be?
I'm using OWIN.
Any advice would be helpful.
Thanks!
When you say "local". you mean in AAD?
Azure B2C allows non-federated (i.e. don't use ADFS) users to provision and then authenticate themselves.
However, such users are "outside" of the normal authentication flow and cannot use ADFS or have O365 licenses.
In terms of ADFS and O365, you need to set:
Convert-MsolDomainToFederated
as in Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365.
In future Azure AD B2C will add the ability for users to login using their 'Work Accounts'. Those are the accounts used for O365. If the respective tenants have setup federation with Azure AD, ADFS federation will also work.
Meanwhile, the old work around for you to get it to work is to have your application
1. handle multiple tokens. [Azure AD, Azure AD B2C, ADFS or other federations] by implementing each federation to get the tokens.
2. implement the idp selection screen on the application and federate to appropriate party.
I have developed MVC 5 application. Now i want to use Authentication for my application.
My end users are Employees and Customers and i want to authenticate Employees with Azure AD and customers with windows live id.
I have tried to use Azure ACS, but it will ask me whether i want to log in with Azure AD or Windows Live ID.
My requirement is as below.
Default URL is http://localhost:12973.
When Employees want to login then it will redirect to http://localhost:12973/employees and employees should redirect to Azure AD log in page
and for customers http://localhost:12973/customers and customers should be redirected to windows log in page
So how can i configure both Azure AD and ACS in single web config file?
Can anyone please help me how can i achieve both the requirements.
You need to setup Azure AD as an IdP for ACS to utilise and then switch your MVC app to only use ACS. Details on how to setup Azure AD as an ACS identity source can be found on Vittorio's blog.
In order to differentiate between the user types you would have to inspect the incoming claims and determine whether the user is in Azure AD (I assume employee) or elsewhere (customer). That would be your 'return URL' which would then do a 301 redirect to the correct landing page as per your requirements.
In the future Azure AD will be the right place to do all this stuff (including external IDs) so it might be worth revisiting your design and reading some of the recent advice around how to use Azure AD instead of ACS.
Alternatively your application can trust Auth0 and you can configure Microsoft Accounts (Windows Live) and Azure AD as connections in Auth0. The following sample shows how to use Azure AD with different social connections:
The big difference with ACS today is that Auth0 can also get the email address of users authenticating with a Microsoft Account.
Disclaimer: I work for Auth0.