This blog is set in two parts. The first describes the process of setting up an Azure Active Directory multitenant on Azure, and the 2nd part describes how to integrate with a Blazor WASM application.
The source code for this blog is available here.
Why multi-tenant?
Allows absolutely anyone to use your app as long as they have authenticated using Azure Active Directory. The user doesn’t need to be in your directory, just some directory.
Note that this doesn’t restrict who can access your application, nor what they can do once they’ve signed in. It just ensures you know the person using your application has gone through the necessary sign-in process on Azure Active Directory.
Enable Active Directory as a resource provider
This only needs to be enabled once per subscription, it allows your subscription to use Azure Active Directory as an identity provider.
- Sign into https://portal.azure.com
- Select your subscription
- In the menu on the left hand side (Left menu) select
Resource providers
- Click
Microsoft.Azure.ActiveDirectory
- If its status is not
Registered
, clickRegister
at the top of the page
Set up Azure Active Directory multitenant
This will be the tenant that your app will be registered against. Your own company’s users may be registered in this directory, but users from any Active Directory will also be able to authenticate and use your application.
- From the Azure home page click
Create a resource
- Search for
Azure Active Directory
- Find the
Azure Active Directory
icon (NOT B2C) - Click the
Create
link at the bottom of the item - Click
Azure Active Directory
in the popup menu - For
Tenant type
selectAzure Active Directory
(NOT B2C) - Click
Next
- Enter an
Organization name
andInitial domain name
(e.g.MyOrg
andMyOrgInitialDomain
) - Select your
Location
- Click
Review + create
- Click
Create
Switch to your new directory
We now need to switch to the new directory in order to register your application.
- Click your user account icon at the top-right of the page
- Click
Switch directory
in the popup menu - Refresh your browser if your new tenant is not listed
- Click
Switch
next to your new directory in the list
Register your application
We now need to register some basic information about the application, such as what kind of application it is (web, single-page application) and what kind of directory may be used to sign into it.
- Click the three horizontal lines (burger menu) at the top-left of the page
- Select
Azure Active Directory
from the popup menu - In the left-menu, click
App registrations
- Click
New registration
at the top of the page - Give it a name (e.g. “MyApp”)
- For
Supported account types
selectAccounts in any organizational directory (Any Azure AD directory - Multitenant)
- Under
Redirect URI
selectSingle-page application (SPA)
for the platform - For the URI enter
https://localhost:6510/authentication/login-callback
- In the left menu, click
Overview
- Make a note of the value of
Application (client) ID
Specify the callback URI of your website
When our app asks AAD to authenticate the current user, the application will include a parameter in the URL specifying where it wants AAD to navigate to after the user has successfully authenticated. To prevent a malicious actor from providing a user with a link that will sign them in and then return their token to a malicious website where it is recorded, AAD requires us to record a list of valid call-back URLs. If the callback URI specified in the sign-in request is not listed, AAD will refuse to pass the token to it.
We’ve entered a callback URL for our development environment, but we need to also enter the official callback URL on the website the app will ultimately be hosted.
- In the left menu, click
Authentication
- Under
Single-page application
clickAdd URI
- Enter the login-callback URI of your app (e.g.
https://ibm.com/authentication/login-callback
) - Click
Save
Expose an API for your application
Although this section is called “Expose an API”, it does not actually expose an API for access via the Web. What it actually means is that we wish to identify and API that a user can have permission to access.
- Click the burger menu at the top-left of the page
- Select
Azure Active Directory
- In the left menu, click
App registrations
- Click your application in the list
- In the left menu, click
Expose an API
- At the top of the page, find
Application ID URI
and clickSet
- It will default to
api://{Application (client) ID}
, this ID is acceptable (NOTE:{}
denotes the value, e.g.d581756b-53b0-4957-820a-d6aa43fd69de
) - Click
Save
Add a scope to your API
Scopes allow different levels of access. For this tutorial we’ll only be adding a single scope access_as_user
.
- Click
Add a scope
- For
Scope name
enter a name you wish to use to identify the scope (e.g.access_as_user
) - For
Who can consent
selectAdmins and users
- ForĀ Admin consent display name enter
Read user's profile information
- For
Admin consent description
enterAllows the application to read the user's profile information
- For
User consent display name
enterRead your profile information
- For
User consent description
enterAllows the application to read your profile information
- Ensure
Enabled
is selected - Click
Add scope
Add permissions for your application to use your scope
We now need to link scopes to our app. This is a many-to-many relationship. We can create many scopes, and use them across many applications.
- In left menu, click
API permissions
- Click
Add a permission
- Click the
[My APIs]
tab at the top of the popup menu - Click your application in the list of items
- In the
Permissions
section ensureaccess_as_user
is checked - Click `Add permissions
Add permissions for your application to access additional user information
When the user accesses our application for the first time, AAD will show them a list of access permissions our application is requesting and ask them to confirm they consent to granting them. In this case, we are only interested in the user’s general information.
- In the same
API permissions
page, clickAdd a permission
- Select the
Microsoft Graph
item at the top of the popup menu - Click the
Delegated permissions
item in the popup menu - Ensure
email
andopenid
are both checked - Click
Add permissions
Finishing adding permissions
When you’ve finished the above steps, click the Grant admin consent for {Your organisation name} and then click
Yes`. Remember this step if you add any additional permissions in future.
Next steps
In the next part, we’ll go through how to create an ASP.NET hosted Blazor WASM application and configure it so both the client and API server use this AAD for authentication.
Comments