In my next series of blog post I want to talk about how to manage access to applications using Azure AD.
I’ve been looking at how I can set up access to my web based applications and I want to be able to:
- Have a single sign on with multiple applications
- Allow some users access to only some of the applications
- Be able to give access to users outside of my organisation
- Be able to control access via code
Part 1 will cover setting my applications up and then restricting access to the applications via Azure AD.
In order to test this I needed to have a number of applications that I could use. I used this example:
https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet
It allows me to login and see my claims. I deployed this into two different app services so I could navigate to them separately. I’m not going to talk about the code on the web side apart from the bits you need to configure up the sample. This series of blogs are more about how to setup Azure AD and the path I went through to my end goal of configuring up users programmatically.
In order to integrate with Azure AD we need to set up each of the applications. This will provide us with an ID with which we can use to configure each of the applications.
In Azure Portal navigate to Azure Active Directory, or search for it in the search bar
In the menu bar on the left select App Registrations –> New registration and complete the form:
I've picked single tenant as I want to invite users using B2B. Now click Register
You need to copy the ID's needed for your web app:
Copy the Client ID and Tenant ID. Repeat this process for the next app. I've created two apps as I wanted to test limiting access to a single app and deny access to the second if the users has not been invited to it or added manually.
Now add these to the web.config in the sample app. There will be two settings for ClientId and Tenant. Make sure that the redirect url matches the url of the application you registered and redeploy. Repeat this for the second application.
If you navigate to the web apps and try and login, you may get an error as we haven't setup any users, although any users currently in your Azure AD should be able to login.
To give users access to your app. Go back to Azure Active Directory and this time select Enterprise Applications and click on the app you just created.
Click Users and groups
Click Add user
Click None Selected, pick users from the list and click Select. These users have now been given access to your application. However, as I mentioned earlier all users who are part of your Azure AD currently are able to login to your web app, we need to now configure the app so that only assigned users can access it.
Click Properties in your enterprise application and set User Assignment required to yes and click Save. (repeat this for your other application)