2

I have an ASP.NET MVC application with Identity 2 authentication that is deployed as an Azure App. What I am trying to do is use Azure Active Directory Authentication within this App so that users created in the Active Directory (this AD was created within the same subscription of Azure that the App resides on) can authenticate in the App.

With standard Active Directory I would use LDAP(S) protocol for authentication with Domain Controller but in Azure AD I was told to use ADAL library since LDAP protocol is not supported(?).

I have reviewed a number of implementations of ADAL but I am not sure of the exact flow of actions that need to be performed.
From the official Github repo I reviewed the AdalDesktopTestApp project and summed up the authentication mechanism as following:

private const string ClientId = "1950a258-227b-4e31-a9cf-717495945fc2";
private const string User = ""; // can also be empty string for testing IWA and U/P
private const string Resource = "https://graph.windows.net";



static void main(string[] args) {
     var context = new AuthenticationContext("https://login.windows.net/common", true, new FileCache());
     RunAppAsync(context).Wait();
}

private static async Task RunAppAsync(AuthenticationContext context) {
    Task<AuthenticationResult> authTask = null;
    authTask = context.AcquireTokenAsync(Resource, ClientId, new UserPasswordCredential(User, Console.ReadLine()));
    await FetchTokenAsync(authTask).ConfigureAwait(false);
}

private static async Task FetchTokenAsync(Task<AuthenticationResult> authTask)
{
    await authTask.ConfigureAwait(false);

    Console.BackgroundColor = ConsoleColor.DarkGreen;
    Console.WriteLine("Token is {0}", authTask.Result.AccessToken);
    Console.ResetColor();
}

What does ClientId become in case of running this code from an Azure App?

Do the Resource variable and AuthenticationContext's first parameter "https://login.windows.net/common" remain the same in my case? How do I specify the name of the Active Directory Domain I have created within the Azure? Is this the correct flow of actions when authenticating using user accounts that were manually created within the Azure AD?

Improve this question

1 Answer 1

Reset to default
3

Yeah LDAP is not supported. You need to use OAuth / OpenID Connect, which are made easier with ADAL or MSAL (this is newer and works with the v2 endpoint).

Client id is the id of your registered application in Azure AD. It is also referred to as application id sometimes. The Resource identifies what you want to call. The resource in the sample is the identifier for Azure AD Graph API. You'd use e.g. https://graph.microsoft.com for the newer Microsoft Graph API. The access token you acquire is only valid for that API. Note that MSAL / v2 does not use a resource, instead it uses scopes.

The URL with "common" is your authority. This says what accounts you want to allow to login to your app. Common allows users from any Azure AD tenant to login to your app. (your app needs to be multi-tenant then as well) If you want to support only a specific Azure AD tenant, specify it as https://login.microsoftonline.com/your-aad-tenant-id. To keep it multi-tenant, set it as https://login.microsoftonline.com/common.

You are using the less secure resource owner password credentials grant flow in the app. You should use overloads that pop up a Web browser that allows the user to login properly. In your app, users with MFA will be unable to login, for example.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank you for the answer. So the tenant id is how my specific active directory is identified in Azure during this authentication mechanism? Regarding the Web browser popping up, this code will become part of an ASP.NET MVC website that already has a login form, I assume you meant in this particular WinForms example(?). The only users I want to be able to log in are the accounts I have created within my Azure AD. Is my workflow still less secure in this case?
Yes, that is the unique identifier for your directory. MVC needs to be configured differently, and there are samples for it. In there we use redirects to authenticate the user. I would strongly advise you don't build your own login form. Like I said, MFA doesn't work, users with expired passwords can't login, guest users may be unable to login. It is also a bad practice to handle user passwords.
Understood. Could you please point me to a specific sample for a MVC website that integrates this particular authentication flow?
github.com/Azure-Samples/… this one is for asp.net MVC. There are also newer samples for asp.net core. The sample here is configured to use the common endpoint, you'd want to change common to your tenant id.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.