Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authenticate web application agains multiple azure ad?

Tags:

azure

azure-active-directory

I am thinking about developing in general a web application for enterprise. What i am thinking about is following scenario:

The application should be able to serve multiple customers (called multitenancy?). That means that multiple companies could use the software for their employees.

Each of them could have a own azure ad or maybe not. Therefore i would like to know if it is possible to authenticate against multiple/different azure ad's?

Lets assume that a user types in his email address [email protected] then i would try to authenticate him against the ad whihc is configured behind the companyA.com ad, when someone tries to login with [email protected] then i would try to authenticate against azure ad which is configured for companyB.com.

Is this possible? How could i do this?

like image 710
STORM Avatar asked Feb 18 '17 14:02

STORM

1 Answers

That is the exact reason why multi-tenant applications exist. So a user from any Azure AD can sign in to your application.

The way it works is like this:

  1. You define the application in your Azure AD tenant, including any permissions it might require (like ability to read data from the Azure AD Graph/access user's OneDrive through Microsoft Graph etc.)
  2. When defining the app, set it as multi-tenant.
  3. Now when a user from another organization tries to sign in to your app, they will be presented with a consent screen. This screen describes your application and the permissions it requires on their directory.
  4. Once they give their consent for the permissions the app requires, a service principal is created for the app in their directory. This principal is sort of like an account for the application that now exists in their directory.
  5. They will then be forwarded back to your app.

There are a couple important things to note on your app's side:

  1. You must redirect users to login at https://login.microsoftonline.com/common/oauth2/authorize instead of the tenant-specific endpoint.
  2. With OpenIDConnect middleware in ASP.NET MVC, you must turn off issuer validation, and do it a bit manually (you have to check the tenant has actually signed up before)

More about single vs multi-tenant: http://www.andrewconnell.com/blog/azure-ad-what%E2%80%99s-the-difference-between-single-vs-multi-tenant

Example multi-tenant app (ASP.NET MVC): https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect

like image 130
juunas Avatar answered Oct 22 '22 18:10

juunas
Sign in to Comment

Related questions

Setting up a custom domain with an Azure Function app
Auto scale up/down Cosmos DB RU's
Azure Storage Explorer - Not showing "failed" queue items?
Azure Cosmos DB: HTTP 400 in Application Insights
Azure Databricks vs ADLA for processing
Can Azure-AD B2C use a mobile telephone number as a username?
32-bit legacy COM DLLs on Windows Azure
Dependency warning (WAT150) when deploying Azure project
Azure blob container shared access signature expiring
How can I shake relational database thinking for designing an azure table storage datastore?
TargetProfile gives No default service configuration error
Windows Azure Service Bus - BrokeredMessage.Properties with Enum Value
Unable to cast object of type System.Security.Claims.ClaimsPrincipal to type Microsoft.IdentityModel.Claims.IClaimsPrincipal
How to use EntityResolver with Azure Storage?
Azure webjob vs cloud service
How to disable RC4 cipher on Azure Web Roles
Azure Application Insights - Location Issue
Deploy to Azure using Storage Account created in new portal
Accessing Azure File Storage from Azure Function
Can you do in-place updating/upgrading of Azure VM Operating System?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!