Reputation: 51
Can I configure an Azure Web Application to not prompt for user consent?
I'm trying to add Azure Active Directory sign-on to a .NET application with existing "legacy" security (some of the users will use AD, others will use existing security). I'm invoking the Azure Active Directory sign-on process like this:
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/myredirectpage.aspx" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
...and on the redirect page, I can read signed-in user info like this:
var x = HttpContext.Current.GetOwinContext();
This works, but it asks the user to consent to the app's request to read their profile. (Specifically it says "App X needs permission to sign you in and read your profile" and then if you click "Details" the organization and app publisher are shown to be the same).
My question is, is there any way to avoid this consent step? Can my domain admin "pre-assign" my application somehow to a subset of domain users? In Azure I have "co-administrator" access, but when I click on the "Users" tab it says "You do not have permission to manage this application."
Upvotes: 1
Views: 2351
Answers (2)
Reputation: 7394
An application can be pre-approved by a directory administrator through a specific consent flow, which we refer to as "admin consent" - take a look at the sign up controller in https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-multitenant-openidconnect/. Note that the application itself must offer this as a consent route, that's not something that an admin would do on its own. Also note that being an admin in an Azure subscription does not necessarily mean being an admin in a directory - I recommend looking up the user in the Azure AD management UX and see what directory roles are assigned. Regarding limiting consent to only a subset of users. Admins can set applications to require explicit user assignment - for a user to get a token for the app. If the application publishes application roles, the admin can even directly assign users to roles as a way of controlling access. Please refer to https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-roleclaims/ for a primer.
Upvotes: 2
Reputation: 51
Answering my own question - things worked when the global Azure administrator created the app instead of a co administrator. I did not have to run an admin consent process. It "just worked" and I can sign in using a domain account without consent prompts. Without consent prompt, I am now able to silently check a userid and password against Azure Active Directory and fall back to legacy authentication when that fails. Ended up using a native app and requesting graph.windows.net resource. The relevant ADAL.NET C# code is below:
UserCredential uc = new UserCredential(username, password);
string authority = "https://login.windows.net/common";
AuthenticationResult r = ac.AcquireToken("https://graph.windows.net/", MY_CLIENT_ID, uc);
// Pull user's guid from r, look up info in DB, continue...
This method will allow me to integrate Azure AD authentication into my app without changing the login page or requiring the user to enter their password more than one time.
Upvotes: 0
Related Questions
- Set app’s verified publisher (Azure AD B2C) so that it shows up as verified in the user consent prompt
- Azure AD authentication access without admin consent to application
- Azure AD admin consent error for user logging into app registration
- How to consent to an Azure Active Directory Enterprise App for Multi-Tenant Login without Publisher Approval during development?
- Azure Active Directory needs Admin Approval after setting prompt =consent
- Unable to revoke user permissions for an Azure application
- Azure AD Application not appearing in existing AD App list for an Azure web application
- Azure Developer User consent to app accessing company data
- Getting error for users "AADSTS90093: Does not have access to consent." after admin has granted consent