Steve Spencer's Blog

Blogging on Azure Stuff

Managing Application Access with Azure AD – Part 1

20. April 2020 steve Security, Azure App Service, Azure AD (0)

In my next series of blog post I want to talk about how to manage access to applications using Azure AD.

I’ve been looking at how I can set up access to my web based applications and I want to be able to:

  1. Have a single sign on with multiple applications
  2. Allow some users access to only some of the applications
  3. Be able to give access to users outside of my organisation
  4. Be able to control access via code

Part 1 will cover setting my applications up and then restricting access to the applications via Azure AD.

In order to test this I needed to have a number of applications that I could use. I used this example:

https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet

It allows me to login and see my claims. I deployed this into two different app services so I could navigate to them separately. I’m not going to talk about the code on the web side apart from the bits you need to configure up the sample. This series of blogs are more about how to setup Azure AD and the path I went through to my end goal of configuring up users programmatically.

In order to integrate with Azure AD we need to set up each of the applications. This will provide us with an ID with which we can  use to configure each of the applications.

In Azure Portal navigate to Azure Active Directory, or search for it in the search bar

C portal-azure.com/#home Microsoft Azure p Search resources, services, and docs (G./) Azure services Create a resource Azure Active Directory SQL databases Azure AD Privileged. App registrations    C portal-azure.com/#home p activd Microsoft Azure Services Azure s Azure AD Privileged Identity Management -+ Activity log Azure Active Directory reso HDlnsight clusters e Monitor

Home > Default Directory I Overview O Default Directory I Overviev Azure Active Directory p Search (Ctrl 4/) O Overview Getting started Diagnose and solve problems Manage users Organizational relationships Roles and administrators Enterprise applications Devices App registrations Identity Governance    Home > Default Directory App registrations Default Directory I App registrations Active Search (Ctrl *

In the menu bar on the left select App Registrations –> New registration and complete the form:

Home ) Default Directory App registrations ) Register an application Register an application -k Name The user-facing display name for this application (this can be changed later). My New app Supported account types Who can use this application or access this API? @ Accounts in this organizational directory only (Default Directory only - Single tenant) O Accounts in any organizational directory (Any Azure AD directory - Multitenant) O Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) Help me choose... Redirect URI (optional) We'll return the authentication response to this URI after successfully authenticating the user. Providing this now is optional and it can be changed later, but a value is required for most authentication scenarios. web v http /mynewapp.azurewebsites.net gy proceeding, you agree to the Microsoft Platform Policies Register

I've picked single tenant as I want to invite users using B2B. Now click Register

You need to copy the ID's needed for your web app:

Delete Endpoints O Got a second? We would love your feedback on Microsoft identity platform (previously Azure AD for developer). * Display name Application (client) ID Directory (tenant) ID Object ID My New app Supported account types : My organization only Redirect URIS : I web, O public client Application ID URI : Add an Application ID URI Managed application in My New app

Copy the Client ID and Tenant ID. Repeat this process for the next app. I've created two apps as I wanted to test limiting access to a single app and deny access to the second if the users has not been invited to it or added manually.

Now add these to the web.config in the sample app. There will be two settings for ClientId and Tenant. Make sure that the redirect url matches the url of the application you registered and redeploy. Repeat this for the second application.

If you navigate to the web apps and try and login, you may get an error as we haven't setup any users, although any users currently in your Azure AD should be able to login.

To give users access to your app. Go back to Azure Active Directory and this time select Enterprise Applications and click on the app you just created.

Home ) Default Directory > Enterprise applications All applications > My New app I Overview My New app I Overview Enterp•ise Application rvlew Diagnose and solve problems Manage Properties Owners Users and groups Provlston•ng Application proxy Splf_+ruire Properties O Name MN My New app Application ID Object ID Q) Getting Started

Click Users and groups

My New app I Users and groups Enterprse Applicat& + Add user Edit Remove p Update Credentials Overview O The application will appear on the Access Panel for assigned users. Diagnose and solve problems irst 100 shown, to search all users & groups, enter a display nami Manage Display Name Properties NO application assignments found Owners Users and groups provisioning

Click Add user

Home > Default Directory > Enterprise applications I All applications > My New app Users and groups > Add Assignment Add Assignment Default Groups are not available for assignment due to your Active Directory plan level. Users None Selected Select Role Default Access

Click None Selected, pick users from the list and click Select. These users have now been given access to your application. However, as I mentioned earlier all users who are part of your Azure AD currently are able to login to your web app, we need to now configure the app so that only assigned users can access it.

Click Properties in your enterprise application and set User Assignment required to yes and click Save. (repeat this for your other application)

Home Default Directory My New app I Enterprise Applicati'H Overview > Enterprise applications I All applications > My New app I Properties Properties Save Discard Delete Enabled for users to sign-in? O Diagnose and solve problems Manage properties Owners Users and groups provisioning Application proxy Self-service Security Conditional Access permissions Token encryption Name * (D Homepage URL G) Logo @ Application ID O Object ID O User assignment required? C) Visible to users? O My New app MN Select a file

Now only users who are assigned to your application can login. You can test this now. Go to the first application url and login with one of the users you assigned. Then go to the second app (you shouldn't have assigned any users just yet.) and login. This time you will get an error.

You can now assign users to the second application and the error should go away when you attempt to login.

We’ve now set up our applications in Azure AD and limited access to each application. In my next post I’ll show you how you can then add users from outside of your organisation to these applications.