Reputation: 75
Microsoft Identity AzureAD ASP.NET Core for Two Tenants only
We have an internal business Blazor Server app that is to be used by two Azure AD Tenants only. We have the following appsettings.json file. When the user authenticates we want to verify that the ID Token is from either of these two tenantid as a requirement to be Authorized. We can currently see the issuer in the initial ID Token context.User.Claims received after authenticating on either of the two Tenants. We tried to add the ValidIssuers list to the TokenValidationParameters. However, it remains authorization from any tenant is allowed, instead of just the two.
Now we are searching for a clue about where and how to include the issuer requirement for authentication. I have searched the Internet for a while now, and am unable to find an example specific enough to be confident about doing it correctly. I imagine this is simple for some people. Any direction is most appreciated. Best regards, Ranny
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "xxxxxxxx",
"TenantId": "organizations",
"ClientId": "xxxxxxxxxxxxxxxx",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath": "/signout-callback-oidc"
},
"AllowedIssuers": "xxxxxxxxxxxxxxxxxxxxxxxxxx,yyyyyyyyyyyyyyyyyyyyyyyyyy",
"AllowedHosts": "*"
}
Startup.cs section:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.Configure<OpenIdConnectOptions>(options =>
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuers = new List<string>()
{
@"https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxx/v2.0",
@"https://login.microsoftonline.com/yyyyyyyyyyyyyyyyyyyyyyyyyy/v2.0"
}
});
Upvotes: 1
Views: 934
Answers (2)
Reputation: 104
In your code, you try to limit the allowed tenants by using:
ValidIssuers = new List<string>()
{
@"https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxx/v2.0",
@"https://login.microsoftonline.com/yyyyyyyyyyyyyyyyyyyyyyyyyy/v2.0"
}
This doesn't work because of how the issuer is validated in AadIssuerValidator.cs, and because the auth middleware adds https://login.microsoftonline.com/{tenantid}/v2.0 to the collection of valid issuers. The middleware adds the extra issuer here.
If an issuer in TokenValidationParameters.ValidIssuers contains the {tenantid} placeholder, then AadIssuerValidator will replace the placeholder with the actual tenant id that was used to sign in, and will compare it to the actual issuer. This comparison will return true, since you've used Azure AD to sign in, so the issuer will be of the form https://login.microsoftonline.com/{yourtenantid}/v2.0. Therefore, the issuer is always considered valid.
The key is that no matter what you set TokenValidationParameters.ValidIssuers to, signing in via Azure AD will be considered valid because of the extra valid issuer that the middleware added.
To truly restrict the auth to specific tenants, you need to add your own logic via the TokenValidationParameters.IssuerValidator approach, which is used in this example.
Upvotes: 0
Reputation:
We can restrict the users to specific/multiple tenants in following ways.
1. Restrict Access by tenant location
While creating the user in an tenant, you can specify the region that he is not allowed to access any subscription and groups belongs to that tenant and region you selected by selecting "Yes" to Block Sign In option.
2) Restrict Access by user domain id
- Go to [Azure Active directory portal] - The Azure Active Directory admin center dashboard appears.
- In the left pane, select Azure Active Directory. The Azure Active Directory overview page appears.
- On the Overview page, select Tenant Properties
- There you can give/restrict access to all the resources in that tenant for the user based on user's domain id (for ex: [email protected])
After doing these operations on tenant restrictions to users, if user tries to access applications in which he/she doesn't have permissions then they will get this kind of
For more information, hope this Microsoft documentation for tenant restrictions to users will helps you.
Upvotes: 1
Related Questions
- Azure AD Multi Tenant Authentication - ASP.NET MVC 5
- How to use both Azure AD authentication and Identity on ASP.NET Core 3?
- Azure AD authentication to existing ASP.NET Core Identity application
- Multiple Azure AD Authentication Identity Server 4
- Use ASP.Net Core 2 Identity with Azure Ad single tenant authentication
- .Net Core Identity and Azure AD Authentication
- ASP.Net Core authenticate with AAD and B2C
- How to authenticate users in Azure Active Directory with dynamic tenants inside single instance of .NET Core web application?
- How to combine Asp.Net Identity with Azure AD Authorization
- integrate azure AD authentication with asp.net core identity individual accounts