I am planning to move some of my applications from AzureAD authentication to Azure B2C. I have an existing Azure AD Tenant that has a custom domain assigned and verified and I use this for all of my internal Office 365 and AzureAD authenticated applications. I do not want to change any of this as it is working well.
I then created an Azure B2C tenant using the instructions provided here https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant. That also worked and I have been able to register applications and create sample Flows.
However, I now want to assign a custom domain to the Azure B2C tenant and I would like to use the same domain that I am using for my existing applications in the AzureAD tenant. I use subdomains on my web server to separate the various applications.
I used the instructions here to create the custom domain in my Azure B2C tenant and add the TXT record to my domain registrar. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow.
However, when I try to verify my domain, I get a message stating that
This domain has been previously configured on
[Azure Domain Prefix].onmicrosoft.com using an existing Azure AD or Office 365.
To verify this domain name, you will first need to remove the domain
name from the existing directory.
I tried adding the subdomain to the Azure B2C tennant, but understandably this "domain" was not able to be found in the verification step.
Does anyone know how I can get around this? My understanding is that I can't add the B2C functionality to an existing AzureAD tenant and I really don't want to move everything from my existing AzureAD tenant, nor create a new domain.
I have now worked out why I had this problem and will post an answer to help anyone else.
The issue was that I was trying to add my top-level domain to the Azure B2C instance. However, if I followed the instructions more closely, I would have seen that I should be registering login.[my-doimain].com.au. I found the following graphic from https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow useful to understand B2C a bit better.
Related
What we are trying to do is set up our MVC .NET application with Azure Connected Services within Visual Studio. We are trying to connect to the Existing Azure AD Application. We have the correct domain selected, and also the correct redirect URI
We need to be able to read directory data to determine user group but we don’t have client secret
This is the error we get
Make sure your existing Azure AD application is registered as:
Accounts in this organizational directory only (Devchat only - Single tenant) or Accounts in any organizational directory (Any Azure AD directory - Multitenant).
Other types are not supported to be updated in this case.
You can refer to this document to register an application for a quick test.
I have set up Azure AD authentication on my SonarQube server as well as the corresponding app registration listed in Azure AD. The problem I am facing is that when I try to authenticate to the SonarQube portal using my Azure login, it logs me into the portal but doesn't place my account in the correct group!
My account is placed in the "sonar-users" default group when it should be fed into the other group which is named exactly the same as the group listed in Azure AD (as per the SQ documentation).
Has any one experienced any issues similar to this? If so, did you manage to resolve it?
Have you checked, that your APP-registration has the corresponding permissions to the AAD?
Sign in and read user profile
Read all users' basic profiles
Read directory data
https://github.com/hkamel/sonar-auth-aad Point 7
Good morning everyone,
My apologies if this post is too similar to this post:
Dynamics 365 and Azure integration
but I am struggling to understand exactly what is needed in order to setup a web service on an Azure server that is consumable by a Dynamics 365 plugin. Based on my research it appears that it goes as follows but I would like to see if any knows of a better guide.
1.) Construct the web service as normal on the Azure Windows Server.
2.) Register a proper DNS Domain name (friendly-name) and route it to the Azure server.
3.) Secure that Azure server/URL with a certificate.
4.) Call the web service from my C# Dynamics 365 plugin.
Is that everything or might I be missing something critical? Thank you!
4 might be an issue, given you want to use certificate based security, not sure that will work, you might need to use another mechanism, e.g. basic user name and password. Otherwise looks okay.
Plug-in isolation, trusts, and statistics
Web access
Sandboxed plug-ins and custom workflow activities can access the
network through the HTTP and HTTPS protocols. This capability provides
support for accessing popular web resources like social sites, news
feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.
Only the HTTP and HTTPS protocols are allowed.
Access to localhost (loopback) is not permitted.
IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving
those credentials.
I have implemented Azure Active Directory Oath2.0 authentication and now I have to implement Claims-Based and Active Directory authentication in Java for Dynamics 365 Online/On-Premise.
I'm following this topic: https://msdn.microsoft.com/en-us/library/gg334502.aspx and here it says that Dynamics 365 online supports the following authentication scenarios: Claims Based Authentication or Active Directory Through Federation.
The problem is that I don't know from where to start and what configurations have to be done. I've played with azure portal and with the dynamics 365 online admin panel, but just can't figure out what I have to do :).
Can I use some info from https:// login.microsoftonline.com//FederationMetadata/2007-06/FederationMetadata.xml to perform such authentications?
Do I need do install a local Active Directory server?
I highly recommend looking through some Azure AD samples on how to setup oAuth2.0 to various Microsoft services. The dev landing page has tons of a great samples. Here is the java sample.
If you're trying to sign in purely Azure AD users the access some resources, then this is pretty straight forward. You'll want to register an app in the Azure Portal, setup all the delegated permissions and app configs necessary (the sample will help with this), then use the ADAL library to perform the oAuth2.0 flow. This flow will return back tokens that can be played to whatever service you requested access in the form of http requests.
I am curious to know why we always need to register our CRM online instance on an Azure Active Directory in order to authenticate the Web API while accessing from outside CRM domain.
That is, for example, if I need to access CRM online instance through another website using CRM's Web API endpoint, then I must register my CRM instance to Azure Active Directory.
Though I am aware that, its a very nominal charge to create an Azure Active Directory, still I would need to subscribe to Azure even if I just want to perform some general research for CRM connectivity through Web API.
Why this is must? Are there any security considerations behind this?
Why can't we use the same authentication mechanism as we used to do with Organization service?
Any details on this will be much appreciated.
The CRM WebAPI uses OAuth2 and Azure AD is the only currently supported authentication platform to provide this (Windows Server 2016 will support OAuth2 for on-premise).
The Organisation service is a WCF service and as such uses SOAP for authentication and authorization. This is an entirely different technology stack that brings it's own set of problems, many of which the OAuth2 protocol tries to solve in this scenario.
Although you manage your CRM Online users through the Office 365 portal the underlying technology for these accounts is also Azure AD. Check if you can use this existing AD tenant created as part of your subscription rather than having to create another.
If you are using CRM online you already have aan Azure Active Directory. If you haven't already done so, you can signup for an Azure subscription and import the underlying AAD into your Azure subscription. You will need a credit card, but as far is I know using the Azure AD is free.