After implementing the integration of Azure Active Directory and some other could applications like Salesforce, and syncing On-Premise Active Directory data by using Azure AD Connect, now I could auto login Salesforce and other cloud apps with Single Sign-On by using the credentials I used for desktop logon, but I still need to key in the credentials once when accessing Azure Applications page (Azure Portal).
Is there any configuration in Azure I can change to support auto-login by using the Windows credentials, so that once I log into my encrypted machine, I could auto login the Azure Applications page (the Azure portal) without key in password again? If Azure does not support no sign-on, what's the best way to do some development to support no sign-on?
Any post or suggestion will be appreciated!
You can always try to authorize users using Graph API. Maybe this will be helpfully: https://github.com/devkimchi/Graph-API-App-Only-Web-API-Sample
I had a similar issue when using ADFS for federated identity and the following article helped, not sure if it applies to Azure AD Connect but it might give you some useful info.
https://support.microsoft.com/en-us/kb/2535227
Thanks thedev and dawidr for your reply.
Finally I found a solution which might achieve the No Sign-On. AAD supports federation authentication, so just try to integrate the ADFS and AAD by using Azure AD Connect to implement the federation identify with On-Premise AD, then no more password key-in when accessing the Azure Applications. I don't have a proxy server with public IP so it's just a solution in my mind without verification.
Related
I have an Azure DevOps server on-premises and I have written a small application that simply queries its API to get information from the Azure server. There is no authentication at the user level, since the application only displays information and does not POST/PUT/DELETE.
To query the API, I have used my PAT (personal access token), but this is not ideal. I have read that on the cloud version of Azure, you can just register the application to do it, but I have not found the same functionality for the on-premises version.
Am I missing something? Is the only alternative creating a technical user on the LDAP and get a PAT for it?
Is the only alternative creating a technical user on the LDAP and get
a PAT for it?
Yes, you are right.
Authorize access to REST APIs with OAuth 2.0
So 'App auth' is only supported in Azure DevOps Services (VSTS), not supported in Azure DevOps server (TFS).
If I use a Personal Access Token, I can access all Azure DevOps REST APIS by including the PAT in the header. This works great from NodeJS, PowerShell and curl, but I want to do the same thing from JS running in a web-browser, without any server-side code. Just purely from the JS in the browser.
Now, I could prompt the user to enter their PAT and store it in local storage, but I'd rather not do that. Instead, I'd like to prompt the user to log in and get a token that way. Microsoft has the MSAL library to do that, and they have sample code on how to do this from JavaScript in the browser. Unfortunately, for some reason, they require that you also create an Azure AD Tenant along with a client ID. I don't want to use Azure cloud for anything. I just want my users to access an existing company Azure DevOps server. As I said I can already access these resources using a PAT that the user has to create from the portal themselves. I want to avoid that step and have them log in to get a token. Seems simple enough. Am I missing something?
Why is a tenant even needed for this?
From the doc: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki
Before using MSAL4J you will have to register your applications with
Azure AD.
In conclusion, to use MSAL to connect to Azure DevOps from vanilla JS in browser, you need to register your App with Azure AD first to acquire the client ID for authorization.
I would like to run frontend end to end test from an azure devops pipeline, the website requires login using azure ad.
Unfortunately it is not easy to automate the login (sometimes involves sending code via email).
I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize it when deployed to azure website.
What is the best way to have access to login protected website from azure pipeline?
Thanks
I think using an orgnization wide AD account is not secure, especially you're in a public cloud, that's why Azure provides a life-time limited project scope account. If you really want to use AD account, save its credentials in Azure Key Vault, then during the pipeline time, retrieve the credentials by the default project scope token, then you can do anything you want with the credentials.
I don't have a lot of experience regarding this, but I've done something similair using a Service Principal or Managed Identity.
I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize
After a while I actually figured out that there was an identity provider configured, and there was kind of double authentication configured. After removing the jwt token started working perfectly.
In any case thanks a lot for your answers!
looking at "Authorize access to REST APIs with OAuth 2.0" at https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
An Azure DevOps organization is connected to an Azure Active Directory tenant
-> let's call it 'devops-ad-tenant'.
A user has an Active Directory Home Tenant
-> let's call it 'user-ad-home-tenant'.
A user can be a guest user withing another Active Directory Tenant
-> let's call it 'user-ad-guest-tenant'.
If the 'devops-ad-tenant' is equal to the 'user-ad-home-tenant', everything works out fine.
If the 'devops-ad-tenant' is equal to the 'user-ad-guest-tenant', the OAuth flow succeeds, but the flow happens within the context of the 'user-ad-home-tenant' and this user is from a Azure DevOps perspective not the user from 'user-ad-guest-tenant'.
I am having trouble to use something like a "domain_hint" when initiating the OAuth flow.
Any thoughts?
This behavior of get the token is used for the home directory is by design since the customer may be as guest for multiple Azure Active Directories. And as the document you shared for the Azure DevOps OAuth authentication, currently there is no such option to choose which directory for the usage of token acquired.
If you want Azure DevOps support this feature, you can submit the feedback from Develop Community - Azure DevOps.
I managed to get along with a work around...
My application uses an Azure AD multi-tenant appRegistration for authentication.
When the user logs in at my application, the OAuth flow for Azure DevOps is started.
To set the Azure AD tenant for the OAuth flow for the Azure DevOps organization
use a clean browser session, no cookies etc.
log into https://aex.dev.azure.com and select the Azure AD tenant 'user-ad-guest-tenant' for Azure DevOps organization
duplicate that tab
enter the url for my application
the OAuth flow happens within the context of 'user-ad-guest-tenant'
this is really inconvenient... but a work around... besides I am still investigating why this is working...
Im kinda new to Windows server, but have been checking out Microsoft Azure and like the IaaS.
Just a question about SSO verse Azure Active Directory Sync.
Im moving my infrastructure into Azure, my base is a AD server, "dirsync" or AD FS server and a few web servers etc. We use Google Apps for Email, Calendar and Drive.
So I see that there are two ways to keep my AD directory and Azure directory in sync. SSO and Azure Active Directory Sync.
If I use Azure Active Directory Sync and not setup AD FS on a server with SSO, will I still be able to use SSO with my Azure Directory to Apps the Microsoft have in the Azure portal?
The only reason I would need a AD FS server if I had Apps/Services on site that I wanted to use SSO with, correct?
I plan to run, kayako and CrashPlan in two VM's in Azure. Both will use LDAP/AD for usernames/password authentication. But would be cool to get SSO for both webapps so employees can sing-on via the myapps.microsoft.com portal.
The two ways are DirSync and AAD Sync. Refer: Synchronization Previews Now Available for Microsoft Azure Active Directory.
Sync = Same Sign On between on-premise and cloud
Sync + ADFS = Single Sign On between on-premise and cloud
Update
myapps.microsoft.com is for third-party vendors like SalesForce who have asked Microsoft to add them as a SaaS application to AAD. It's not for company specific apps.
For company specific apps., you need ADFS as above.
Having done that, if your user SSO's into your app. and then wants to use e.g. SalesForce, they won't have to login again.