Category Azure AD
Use Azure AD Access Packages to onboard users in an Azure DevOps project
This post looks at onboarding users into an Azure DevOps team or project using Azure AD access packages. The Azure AD access packages are part of the Microsoft Entra Identity Governance and provide a good solution for onboarding internal or external users into your tenant with access to the defined resources. Flow for onboarding Azure […]
Onboarding users in ASP.NET Core using Azure AD Temporary Access Pass and Microsoft Graph
The article looks at onboarding different Azure AD users with a temporary access pass (TAP) and some type of passwordless authentication. An ASP.NET Core application is used to create the Azure AD member users which can then use a TAP to setup the account. This is a great way to onboard users in your tenant. […]
Using multi-tenant AAD delegated APIs from different tenants
This post looks at implementing and using Azure AD multiple tenant applications from different tenants. A service principal needs to be created for the tenant using the multi-tenant API and consent needs to be given for the API scope. The API will accept tokens from different issuers which need to be validated. It is important […]
Implement the OAUTH 2.0 Token Exchange delegated flow between an Azure AD API and an API protected using OpenIddict
This article shows how to implement the OAUTH 2.0 Token Exchange RFC 8693 delegated flow between two APIs, one using Azure AD to authorize the HTTP requests and a second API protected using OpenIddict. The Azure AD protected API uses the OAUTH 2.0 Token Exchange RFC 8693 delegated flow to get a new OpenIddict delegated […]
Azure AD Multi tenant Azure App registration consent
This article looks at Azure Active directory and consent with multi-tenant Azure App registrations. Consent works different depending on the user type, the tenant policies and the required permissions. It is sometimes hard to understand why a user cannot login or where the consent has to be given for a specific Azure App registration which […]
Sharing Microsoft Graph permissions and solution Azure App Registrations
This article looks at using Microsoft Graph permissions in Azure App registrations and whether you should use Graph in specific Azure App registrations types and if it is ok to expose these with other scopes and roles. Is it ok to expose Graph permissions in public Azure App registrations? Using Graph with public applications As […]
Use multiple Azure AD access tokens in an ASP.NET Core API
This article shows how to setup an ASP.NET Core application to authorize multiple access tokens from different Azure AD App registrations. Each endpoint can only accept a single AAD access token and it is important that the other access tokens do not work on the incorrect API. ASP.NET Core Schemes and Policies are used to […]
Switch tenants in an ASP.NET Core app using Azure AD with multi tenants
This article shows how to switch between tenants in an ASP.NET Core multi-tenant application using a multi-tenant Azure App registration to implement the identity provider. Azure roles are added to the Azure App registration and this can be used in the separate enterprise applications created from the multi-tenant Azure App registration to assign users and […]
Force phishing resistant authentication in an ASP.NET Core application using Azure AD
This article shows how to force a phishing resistant authentication for an ASP.NET Core application using Azure AD and a conditional access policy which forces a phishing resistant authentication using a conditional access authentication context. The ASP.NET Core application forces this by requiring the acrs claim in the id_token with the value of c4 which […]
Implement the On Behalf Of flow between an Azure AD protected API and an API protected using OpenIddict
This article shows how to implement the On Behalf Of flow between two APIs, one using Azure AD to authorize the HTTP requests and a second API protected using OpenIddict. The Azure AD protected API uses the On Behalf Of flow (OBO) to get a new OpenIddict delegated access token using the AAD delegated access […]
Software Engineering 