Skip to content

Azure Active Directory - Application

  • Applications in Azure AD are also known as application objects or service principals
  • Set up application objects under App registrations -> New registration
  • Roles can be defined for the application and then associated with the resources

Authentication as an Application

<ItemGroup>
  <PackageReference Include="Azure.Identity" Version="1.3.0" />
  <PackageReference Include="Azure.Storage.Blobs" Version="12.8.2" />
</ItemGroup>

private static string blob_url = "https://hvitoi.blob.core.windows.net/data/sample.txt";
private static string local_blob = "/data/sample.txt";
private static string blob_name = "sample.txt";

private static string tenantid = "tenantid"; // Default Directory ID
private static string clientid = "clientid"; // Application Client ID application
private static string clientsecret = "clientsecret"; // Application Client Secret
static void Main(string[] args)
{
  ClientSecretCredential clientCredential = new ClientSecretCredential(tenantid, clientid, clientsecret);

  Uri blobUri = new Uri(blob_url);

  BlobClient blobClient = new BlobClient(blobUri, clientCredential);

  blobClient.DownloadTo(localBlob);

  Console.WriteLine("Blob downloaded");
  Console.ReadKey();
}

Claims

  • Claims are the key-value pairs embedded in the jwt token (ID token)
  • Claims are used to configure additional information which is returned in one or more tokens

  • Claims are defined under Token configuration tab

  • Optional claims

  • Optional fields that will be part of the ID token
  • Example of optional claims: email, family_name, etc
  • Principal Name (logged on user name): X-MS-CLIENT-PRINCIPAL-NAME
  • Group claims
  • Fields related to the group in which the user/service is part of
  • A special group claim is the impersonated, this way the user receives all the scopes/roles from its group
  • Group claims are defined inn the user manifest in the field groupMembershipClaims
  • The all groupMembershipClaims returns all the group claims
  • Example of group claims: group id
{
  "optionalClaims": ["sid", "email"], // session ID + email
  "groupMemberShipClaims": "all"
}

API permissions

  • Default permissions that are granted to APIs
  • E.g., CosmosDB, Storage Account, Graph, etc

  • Default permissions can be configured under the Application/API permissions

  • Delegated permissions: Your application needs to access the API as the signed-in user (requires consent screen)

  • Application permissions: Your application runs as a background service or daemon without a signed-in user.

  • If you grant admin consent for default directory the consent screen will no longer appear and the application will directly get the permissions required

  • Graph API

  • API to fetch information about users and groups in Azure AD

  • By default the permission User.Read is defined for the Microsoft Graph API
  • This permission is the only one enabled by default. That means that if no other permissions are set up, the application will at maximum have access to the user profile information

Expose an API

  • Private APIs can be exposed to be consumed with an oauth token, just like any other resources (E.g., storage account, cosmosdb, etc)

  • Define custom scopes to restrict access to data and functionality protected by the API.

  • E.g., resource="api://88888888-4444-4444-4444-cccccccccccc"

App roles

  • App roles are custom roles to assign permissions to users, groups or apps
  • The application defines and publishes the app roles and interprets them as permissions during authorization
  • E.g., Courses.Read
  • The app roles appear in the manifest with the name appRoles
{
  "appRoles": [
    {
      "allowedMemberTypes": ["User"], // who can incorporate this role (user, group or app)
      "displayName": "Reviewer",
      "value": "Reviewer",
      "isEnabled": true
    }
  ]
}
  • Connection
public void ConfigureServices(IServiceCollection services)
{
  services.AddControllersWithViews();

  string[] scopes = new string[] { "api://88888888-4444-4444-4444-cccccccccccc/Courses.Read" };

  services
    .AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAd")
    .EnableTokenAcquisitionToCallDownstreamApi(scopes)
    .AddInMemoryTokenCaches();

  services.AddRazorPages().AddMvcOptions(options =>
  {
    var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
    options.Filters.Add(new AuthorizeFilter(policy));
  }).AddMicrosoftIdentityUI();
}