How to configure Azure AD authentication for an on-premise web app
i need help to configure the Azure AD authentication for an existing on-premise web application (ASP.NET MVC). Each client has its own installation (own database and own server).
What we want to do:
- give the possibility to use the Microsoft account to login to application (many clients manage company accounts with Microsoft Azure AD)
- minimize customer configuration
Our idea is to proceed in this way:
- register a multi-tenant application in our Azure AD enabled to support all account types (organizations and privates)
- use these parameters to connect the web app:
- client ID: id of the application in our Azure AD
- instance: https://login.microsoftonline.com/
- tenant ID: common
Expected result:
- clients can login with their own Microsoft account: the AAD application support all account types
- after credentials validation, Azure creates a service principal to the client Azure with all the rules neeeded to read the user info
- no security problems: the AAD application is in our Azure but the security principal lives in the client Azure (each on-premise web app installation creates a security principal, if used)
Questions:
- Is the right way to proceed?
- How can we configure the redirect url parameter? We need to redirect the user to the home page of the web app but the url is different for each installation.
Yes, you are right. To support all Account types, create an Azure AD Multi-Tenant Application like below:
To read the user information, grant the API permission:
How can we configure the redirect url parameter? We need to redirect the user to the home page of the web app but the url is different for each installation.
You can set Dynamic redirect URL in Azure AD but it doesn't support the Application registered as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts. Refer Microsoft Q&A by AmanpreetSingh-MSFT and this MSDoc.
Hence, you can add multiple static redirect URIs in the Authentication tab like below:
To authenticate the users, you can make use of below authorize endpoint:
https://login.microsoftonline.com/common/oauth2/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345
Once, the other tenant user consents, the auth-code will be generated like below:
Now, this MultiTenantApp will be registered as Service Principal in the user's tenant:
I generated the access token by using below parameters via Postman:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/User.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
By using the above access token, one can able to fetch the signed in user details:
https://graph.microsoft.com/v1.0/me
- A way of properly handling HttpAntiForgeryException in MVC 4 application
- filter file upload for only text files
- Paging, sorting, searching on Ajax View in asp.net mvc
- System.Web.Http is missing after a .NET 4.5 upgrade
- Resx file default 'internal' to 'public'
- Include both COUNT(*) and Sum(X) in a single async query Entity Framework
- ASP.NET MVC : Owin external login returns redirect inside the login popup
- How to link HTML5 form action to Controller ActionResult method in ASP.NET MVC 4
- VS 2022 ASP.Net Core MVC Simple Bootstrap Menu Not Working
- Process.Start(...) Suddenly Fails when Called by ASP.NET MVC 5 Running in IIS on Windows 10 and Windows Server 2019
- IIS 7.5 only shows directory list or 403 instead of ASP.NET Application
- RedirectToAction with parameter
- How to validate CNIC no in mvc by regular expression
- How do I encrypt URLs in ASP.NET MVC?
- Authentication Conflict Between Two ASP.NET Apps on the Same Server Using Nginx
- Multiple Authorization attributes on method
- Replace AuthenticationHandler for integration tests
- Display enum descriptions inside razor views
- Illegal characters in path error when reading xml file
- Is it possible to use Razor View Engine outside asp.net
- is it posible to upload directly to remote server using SFTP on ASP.net MVC
- How to view ViewBag content while debugging in Visual Studio?
- row counter in mvc index view can't generate number
- How to shorten a long url in HTML <a> tag
- Adding a controller factory to ASP MVC
- What should the view file/directory structure be in ASP.NET MVC?
- Asp.Net Core - simplest possible forms authentication
- creating dynamic views at runtime asp.net mvc
- Login Page with ASP.NET Core (MVC)
- Adding Admins using Seed data Asp.net core