How to secure a public REST API with Azure Active Directory without user interaction

Question

I am working on a REST API that will be used by a number of clients in different organizations. To be more specific, a client application in an organization will connect to the REST API to exchange information. Multiple users can use this client application. Authentication should be handled by the client application in a way that there is not interaction with the user.

How can this be achieved with Azure Active Directory taking into account that:

1. I only would like to create one AD user account per organization and not per user in that organization.
2. A user of the client application should not be aware he is talking to my API, hence he should not authenticate.
3. The client application should authenticate with the AD account that was provided to the organization.
4. When an incoming call is received through the REST API, I should be able to identify the calling party.

The examples that are outlined here: https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-code-samples/ never completely cover this scenario:

1. In the daemon example there is no user interaction, but then I should create a key (secret) for every organization. This seems quite complicated to handle.

2. In the other scenarios there is always user interaction.

3. Authenticating with a username and password without user interaction is only supported in .NET: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

Any guidance in pointing me to the right direction would be highly appreciated!

Answer 1

I think the question misunderstands the daemon model. In AAD, you create a single application with a single key and then a service principal is created per organization. You only need one key - and you can identify the calling organization by looking at the tid claim in the access token.