Search code examples
asp.net-mvcazuresaas

Authenticate internal and external users using Azure AD

I am working on a multitenant ASP.NET MVC application and want to use Azure AD for authentication.This application will be accessed by external users also. I have read on MSDN about how users external to the organization can access applications using Azure AD.

My question is, without integrating Azure AD with on-premise Windows Server AD, is it possible to create/maintain all users (internal AD (on premise) users + external users) in Azure AD and not use on-premise AD? This is because only few internal users will be using this application but external users will also access.

Solution

  • If you want your on-premises users to have a SSO experience and/or be able to use the same credentials in the cloud that they use on-premises, then you will have to integrate your Azure AD tenant with your on-premises Server Active Directory. You have two options for this.

    1. Directory Sync with Password Sync. This will store a hash of your on-premises users passwords in Azure AD. The user would still get challenged to authenticate for cloud applications, but at least they would be able to use their same on-premises credentials.

    2. Directory Sync with Single Sign-On. This requires setting up ADFS on-premises, but has the benefit of a full SSO experience for the user. If the user is already authenticated on-premises then he/she wouldn't be challenged for credentials when accessing your cloud application.

    Going forward, keep your eye on the new AAD Sync tool. It will eventually replace DirSync with some added capabilities. There are a couple of blogs about it here and here.

    Back to your question, you could just create and manage your users solely in Azure AD. Since you said you only had a "few" on-premises users, perhaps this is more to your liking. Just realize that if you do, your on-premises users will have different sign-on credentials for on-premises and the cloud. However, option #1 (above) is super-easy to setup and get working and is what I would recommend so that your few on-premises users have a good experience and you don't have to maintain them separately in Azure AD. If the number of on-premises users grows, then you already have something in place to support them without any extra work for you.