Reputation: 1803
Using Azure AD for customer authentication
We are writing an on-premise customer facing web application (.net/mvc) but want to use Azure AD as the authentication method for security reasons and also for possible future reasons. The web app will be (possibly) using forms authentication and authenticate in the controller.
We want to be able to let the customer use any email address they wish.
Is this possible? When I go to manually add someone to AzureAD I can't add someone using [email protected]. We don't want to assign users email addresses in our domain.
Gina
Upvotes: 1
Views: 1780
Answers (3)
Reputation: 3551
You should have a look at Azure B2C (Business 2 Consumer) https://azure.microsoft.com/en-us/services/active-directory-b2c/
This enables you to create a seperate AD for external users, allowing them to register and sign up with their own email address.
This will also enable new features like Multi Factor Authentication for your external users. Also it will let you store extra properties for each user (like customerid, address, etc)
Upvotes: 3
Reputation: 15042
I don't think this is possible. Azure AD and Forms auth are not designed to work together. You are supposed to pick one or the other.
As for custom email addresses with Azure AD, you can use either email addresses in your domain or you can add Microsoft accounts as guest accounts (e.g. [email protected], [email protected], [email protected], etc.). It's not possible to use arbitrary email addresses with Azure AD.
Based on your requirements, it sounds like Forms auth is the way to go.
Upvotes: 1
Reputation: 2258
If you use Azure Web Apps, which supports ASP.NET MVC then you can use the Azure Active Directory authentication mechanism. Here is a blog post describing how to set it up: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. See this blog post for more details: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
To modify the permission levels, you should be able to use role claims. See this example for guidance: https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
Unfortunately, you can't use any email address you wish. You're going to have to associate the email addresses with the domain or you can use a Microsoft account (i.e. an @hotmail.com address).
If this is to complicated, you could just use forms authentication for ASP.NET which would allow you to use any email you wish. Here is an example: http://www.codeproject.com/Articles/601687/ASP-NET-MVC-Forms-Authentication-Customized
Upvotes: 2
Related Questions
- How to configure Azure AD authentication for an on-premise web app
- Authenticate Azure AD User Using Azure B2C
- I have user that belongs to another azure active directory, and I want to add them to my azure active directory as users
- Authenticate web application agains multiple azure ad?
- Invoke-RestMethod on an app requiring Azure authentication
- Can't connect to Azure webapp using work account authentication
- Is using Azure Active Directory for authentication recommended for customer facing applications?
- Asp.net Identity using password and Azure Active Directory authentication