Reputation: 458
Can I use Azure AD user for authorization while using an application identity to access Azure Graph API?
I have an ASP.NET MVC 4.6 application and I want to be able to use an application identity to provide access to the Azure Graph API behind the scenes, but I want to use Azure AD users for my applications authentication and authorization.
The end goal is to be able to have a user initially register using Google, Facebook, or enter their own username. During this registration, my application would leverage the Graph API to create an Azure AD user behind the scenes.
Once registered, if the user logs on using Google, Facebook, or their own username, it will look up against the Azure AD users to retrieve groups or roles.
Is this possible, or even a good idea? I'm open to other suggestions. Thanks!
Upvotes: 0
Views: 851
Answers (2)
Reputation: 14356
This is possible. Azure AD recently released Azure AD B2C (business to consumer) to public preview. B2C will allow your users to sign up and sign in with consumer identity providers (e.g. Google, Facebook, etc.).
The sign up portion of this creates a special kind of user in Azure AD that has a reference to an identity in the consumer identity provider. The sign in portion of B2C allows users to authenticate with their corresponding identity provider, and that authentication is recognized in Azure AD.
The full documentation starts at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-overview/, and a ASP.NET MVC sample is at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/.
Alternatively, if you want to do you own, off the top of my head, the best you can do is to build a mechanism where you associate a "regular" Azure AD user with the corresponding social identity provider (e.g. maintain a lookup table). Your users would sign in to your app using each identity provider's protocol, and when they've done so, you "artificially" link them to the corresponding Azure AD users. From Azure AD's perspective, however, these users would not actually be authenticated, so at best, you'd be using Azure AD as a place to store users and groups.
Upvotes: 2
Reputation: 4448
Check out the new Azure B2C offering, in preview, which supports the exact scenario you are asking about out of the box.
Upvotes: 1
Related Questions
- Using app's identity (Azure AD) in ASP.NET web app to call Microsoft Graph
- Accessing MS Graph from API on behalf of user currently signed in to separate web client
- Authenticate Azure AD user using graph api
- Microsoft graph and Azure Ad user authentication
- Azure AD and Graph
- Azure Active Directory Users and SaaS Application using Microsoft Graph Api
- Access Azure Graph API on behalf of application rather than user
- Can I access Azure AD graph api and Azure management resources using the same accessToken
- Accessing the Azure Graph API using Application Identity
- Access Azure AD Graph API in ASP.NET MVC Organizational account