I have an existing App Service in XYZ tenant. Previously my API was in XYZ tenant and using that App Service of same Tenant, now I have moved my API from Azure AD of XYZ Tenant to azure AD B2C of ABC Tenant. can I use existing App Service of a different Tenant(XYZ) in this scenario to publish the API. Can App Service be a multi-tenant.
Thanks!!
Per my understanding your app service which hosting your APIs is under subscription of XYZ tenant and use Azure AD App in this tenant to auth your APIs. And now you want to use Azure AD B2C App in another tenant(ABC tenant) to protect your APIs .
Yes, of course you can do that.You can use Azure AD apps belongs to other tenant(including Azure AD b2c tenant) to protect your APIs hosted on App Service . Which Azure subscription that your App Service belongs to just means you will be charged on that subscription, it has nothing to do with the business logic with your code on app service.
If you want to do so , at the code level , there will be some differences compared to using Azure AD applications if you use Azure AD b2c applications to protect your APIs .
This sample page will be helpful for you to modifying your codes : https://learn.microsoft.com/en-us/azure/active-directory-b2c/code-samples
If you want to design your APIs as multi-tenant by Azure AD b2c, this doc will be helpful : https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom
If there is anything unclear , pls feel free to let me know and if my suggestion is helpful , pls mark me :)
Related
I am planning to move some of my applications from AzureAD authentication to Azure B2C. I have an existing Azure AD Tenant that has a custom domain assigned and verified and I use this for all of my internal Office 365 and AzureAD authenticated applications. I do not want to change any of this as it is working well.
I then created an Azure B2C tenant using the instructions provided here https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant. That also worked and I have been able to register applications and create sample Flows.
However, I now want to assign a custom domain to the Azure B2C tenant and I would like to use the same domain that I am using for my existing applications in the AzureAD tenant. I use subdomains on my web server to separate the various applications.
I used the instructions here to create the custom domain in my Azure B2C tenant and add the TXT record to my domain registrar. https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow.
However, when I try to verify my domain, I get a message stating that
This domain has been previously configured on
[Azure Domain Prefix].onmicrosoft.com using an existing Azure AD or Office 365.
To verify this domain name, you will first need to remove the domain
name from the existing directory.
I tried adding the subdomain to the Azure B2C tennant, but understandably this "domain" was not able to be found in the verification step.
Does anyone know how I can get around this? My understanding is that I can't add the B2C functionality to an existing AzureAD tenant and I really don't want to move everything from my existing AzureAD tenant, nor create a new domain.
I have now worked out why I had this problem and will post an answer to help anyone else.
The issue was that I was trying to add my top-level domain to the Azure B2C instance. However, if I followed the instructions more closely, I would have seen that I should be registering login.[my-doimain].com.au. I found the following graphic from https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow useful to understand B2C a bit better.
I want to setup google 2-legged OAuth using service account. Below is my requirement.
I have one G-Suite Admin account. Lets say googleclassroom.admin#xyz.com
I have created few courses using admin account.
Now I want to manage googleclassroom.admin#xyz.com classroom and its data using service account. How can I configured and setup service account and project in google cloud?
A bot is essentially a web API and so it can be hosted on any web service.
I am abit confused when one of the following approaches should be prefered over each other:
Option #1 Host a Bot on Azure Bot Service
Option #2 Host a bot as a plain PaaS Web API
Currently I am hosting my bot on a plain Azure PaaS App Services. It is working very well.
However, I expect there must be some advantages to hosting a bot on Azure Bot Service.
When I go through the documentations the following example shows how to Create an Azure Bot Service in Azure Portal, download its code, change it then deploy it again to the same Azure Bot Service:
https://learn.microsoft.com/en-us/azure/bot-service/bot-service-build-download-source-code?view=azure-bot-service-4.0
In contrast, the following example shows how to build a bot in Visual Studio and publish it to an Azure Web App:
https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-howto-deploy-azure?view=azure-bot-service-4.0
What are the advantages of hosting a bot on Azure Bot Service?
Is there any resource or article that contrasts the two options?
They are essentially the same thing under the hood. A bot is basically just an API endpoint so there are many ways to host you bot. If you create A bot service you get options to add other services from the creation page. Whereas if you just create a web app or app service you will have to manually add these things.
Creating a Web App Bot will allow you to all in one step create:
Bot Channels Registration
Choose a template to start with
Configure a Luis app
Add Azure Storage
Add application insights
I am develop a public Web API which will be used by number of external clients. In the past I have used HMAC for authentication and stored usernames and api keys in a database. We have more than 50 potential external client applications which will consume my API. The requirement from client point of view is, the authentication should be easy to implement, should support most of the web client/technologies (asp.net, angular, Node etc).
This time my organisation is interested in using Azure AD B2C. I am not sure if B2C is the right product for this usecase where external client application will use your API.
Does anyone have implemented azure-b2c in a same situation?? any sample app (API+Client)
B2C is about self service user registration, password reset, etc. with easy integration to things like Sign-in w/ Facebook (and many more IDPs (identity providers)).
Azure AD B2C is a cloud identity management solution for your web and mobile applications. It is a highly available global service that scales to hundreds of millions of identities. Built on an enterprise-grade secure platform, Azure AD B2C keeps your applications, your business, and your customers protected.
With minimal configuration, Azure AD B2C enables your application to authenticate:
Social Accounts (such as Facebook, Google, LinkedIn, and more)
Enterprise Accounts (using open standard protocols, OpenID Connect or SAML)
Local Accounts (email address and password, or username and password)
Sounds like Azure API Management is what you're looking for.
I am curious to know why we always need to register our CRM online instance on an Azure Active Directory in order to authenticate the Web API while accessing from outside CRM domain.
That is, for example, if I need to access CRM online instance through another website using CRM's Web API endpoint, then I must register my CRM instance to Azure Active Directory.
Though I am aware that, its a very nominal charge to create an Azure Active Directory, still I would need to subscribe to Azure even if I just want to perform some general research for CRM connectivity through Web API.
Why this is must? Are there any security considerations behind this?
Why can't we use the same authentication mechanism as we used to do with Organization service?
Any details on this will be much appreciated.
The CRM WebAPI uses OAuth2 and Azure AD is the only currently supported authentication platform to provide this (Windows Server 2016 will support OAuth2 for on-premise).
The Organisation service is a WCF service and as such uses SOAP for authentication and authorization. This is an entirely different technology stack that brings it's own set of problems, many of which the OAuth2 protocol tries to solve in this scenario.
Although you manage your CRM Online users through the Office 365 portal the underlying technology for these accounts is also Azure AD. Check if you can use this existing AD tenant created as part of your subscription rather than having to create another.
If you are using CRM online you already have aan Azure Active Directory. If you haven't already done so, you can signup for an Azure subscription and import the underlying AAD into your Azure subscription. You will need a credit card, but as far is I know using the Azure AD is free.