SOLVED

Implementing IAM on apps

Copper Contributor

Hello,

my team is developing an app using Azure native and i would like for our users to use their microsoft account (personal or work) in order to register with us and being able to use the app. I was wondering if anyone could point me to the right direction on how to implement that. I am looking for documentation, or reference architecture or something like that, not solutions.

Thanks a lot.

3 Replies

Hi @vasileios666 

 

I have assumed when you say Azure Native you are talking about an Azure App Service. Let me know if something different.

 

If you are deploying an Azure App Service you typically want to use OAuth or OpenID to authorize your user in the application by their AzureAD account.

 

To do this, you must register a new 'Application' in AzureAD. This provides the configuration to allow your Web App to authenticate and authorize your users. Against this Application Registration entry, you can create 'App Roles'. Finally, you can assign your users to these 'App Roles'. The App Roles are optional if you want to create finer-grained access levels in Azure AD.

 

When you configure this on your Azure App Service, you can either set it up in the portal (where every user accessing the App will first be routed to AzureAD to sign in), or you can leave your App as public access and configure an Identity Provider in your application code to protect specific portions of your site.

 

Shameless plug: I have a Udemy course on consuming Identity Providers if you decide to develop that within your app rather than just switching it on at the App Service resource level.

 

 

See:

Configure AzureAD Authentication - Azure App Services

How to add App Roles

Microsoft Identity Platform for Developers

 

Good luck,

 

Omar

 

Hi @omarmciver ,

 

Thanks a lot for that! I don't want the consumption to be limited to the same Azure AD only but for any Microsoft account (personal, work or otherwise).

best response confirmed by vasileios666 (Copper Contributor)
Solution

Hi @vasileios666,

 

You can achieve this by following the same steps. While your app registration will need to be inside your own tenant, the scope of users it supports does not.

 

Here is a link to Sign in any Azure Active Directory user using the multi-tenant application pattern 

There are a few tweaks to the config, but you basically use the /common endpoints instead of your tenant endpoints. That way it will work for any Microsoft account.

 

Here is an example of this in action.

 

You can also configure this with the no-code authentication and root authorization in the App Service:

 

omarmciver_0-1634910665238.png

 

 

Many Thanks

Omar

1 best response

Accepted Solutions
best response confirmed by vasileios666 (Copper Contributor)
Solution

Hi @vasileios666,

 

You can achieve this by following the same steps. While your app registration will need to be inside your own tenant, the scope of users it supports does not.

 

Here is a link to Sign in any Azure Active Directory user using the multi-tenant application pattern 

There are a few tweaks to the config, but you basically use the /common endpoints instead of your tenant endpoints. That way it will work for any Microsoft account.

 

Here is an example of this in action.

 

You can also configure this with the no-code authentication and root authorization in the App Service:

 

omarmciver_0-1634910665238.png

 

 

Many Thanks

Omar

View solution in original post