Im developing a web app in asp.NET core MVC, which objective is to be deployed to microsoft teams. I need to use Azure AD authentication. Azure authentication cannot be used inside an iframe, but microsoft has an available work around (https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-tab-aad) to authenticate users in teams tab, which I was able to implement and retrieve the access token.
My questions are:
-How do I tell to the server that a user is logged in?
-If a user is in browser, is it possible to have both teams tab and browser authentication?
Very thankful for any (really any) help!
there is a Microsoft Teams JavaScript client SDK, which will help you to log in and for server login you need to store user claims.
MS teams tab authentication will work only under MS team apps, not in outside apps
Related
We have a hybrid Active Directory scenario - an on premises Active Directory server synced with an Azure AD tenant.
We are in the process of migrating our on premise Exchange email accounts to 365.
We have a SPA (JavaScript) that displays calendar events retrieved from a dotnet core web API.
The web API only allows access to users in a specific AD group.
The SPA uses the Fetch API to call the web API with credentials.
The web API currently uses EWS to connect to our on premise Exchange server to read calendar events, using its app pool identity.
The above systems have been developed in-house and run on our internal servers.
We want to update the Web API to read calendar events using the MS Graph API, on behalf of the user. We would like to use the simplest available solution.
We have tried to use the AcquireTokenByIntegratedWindowsAuth method but receive the following error: 'Integrated Windows Auth is not supported for managed users'. My limited understanding of why this doesn't work is because we do not have an ADFS on premise.
One of the Microsoft samples shows a SPA acquiring an access token and passing the token in the header as part of the web API call. This would require us to update the SPA and web API code. We're willing to do that if it's the only solution, but I am hoping someone might offer an alternative where we only need to update the web API.
I've been developing a Cordova app using Azure's Mobile App Service product. It offers external sign-in through Facebook, but it doesn't offer a ready-made solution for storing the user into a SQL database where I can also add custom profile columns.
If I was making this app 5+ years ago, I would have used ASP.NET Identity to authenticate the web api, allow account creation with username/passwords as well as offering Facebook sign-in, and I'd be able to create custom profile items, all in a searchable database.
It's 2020 and I'm confused about what is the recommended modern method to achieve the same result. I've read a lot about Azure AD B2C and it seems to tick all the boxes, but I'm worried it might not be as searchable as a SQL user store, and possibly appear to the user as a tacked-on product which isn't as native as the existing app.
I'd appreciate any advice or recommendations about which method I should use for creating my authenticated user store.
If you want to use a custom database, then set up an OAuth provider (e.g. https://aspnetboilerplate.com/Pages/Documents/Zero/Identity-Server#:~:text=Identity%20Server%201%20Introduction.%20Identity%20Server%20is%20an,now%20ready%20to%20get%20requests%20from%20clients.%20) and use that as the authentication scheme. You can then use any OAuth client library to do the authentication, and set that up as a custom auth scheme in your Azure Mobile Apps service.
Is it possible to mix authentication types in a C# ASP.NET MVC web application hosted in Azure?
I have an ASP.NET MVC application written in C# that uses ASP.NET Identity as its authentication system.
A customer has asked if they can sign into the application using their Azure Active Directory (SSO using openconnect id).
I can recreate the application using openconnectid and assign their tenant as the AAD directory but users from my company can not log into the application because we do not exist in the customers Azure Active Directory.
We need to be able to log into the application because we perform data entry tasks for them using the web app.
Has anyone come across a similar issue?
Regards,
Graham
You may need to show login screen with 2 possible options. You redirect the user to their respective identity provider , they get authenticated and bring back the access_token/Id_token to access application resources.
Very much like different OpenID connect providers in the same application(FB, Google, Microsoft etc) and regardless of which provider user choose to get authenticated the token is same to access resources.
I have a scenario where web application uses MYSQL DB to store registered users. This web application is integrate with Skype for business online (Web SDK) to communicate each other via audio, video, chat and etc.
I am implementing functionality such a way that all the registered users(in MYSQL) should be able to access Skype Web SDK automatically without asking them to provide O 365 credentials. Because the users are already registered for my application, asking them to provide O365 credentials to Skype services is not a good idea.
So I want to build functionality such a way that when registered user(MYSQL) clicks say on 'Audio Call', in background three things should happen automatically. 1.Creation of user in O 365 if not existed, 2. Sign in with O 365 credentials, 3. Start audio call.
Is this possible implement with Skype web SDK(online) ?
I am new to Skype for business online thing, Kindly suggest if any other ways available.
and also let me about available Web APIs to bulk create O 365 accounts using Global administrator of tenant.
Currently, this is not possible. For authorising users the browser has to be navigated to Microsoft domain to authenticate users and generate the access token. Only after that, your user can be authorised and users can login into Skype Services.
Inside my ASP.NET application, I would like to add an iframe where I can display the emails from our exchange server for the logged in user. The web application uses forms authentication with custom authentication (passwords are hashed and stored in db).
Is there a way to show OWA within my web app without prompting the user for password (OWA uses windows authentication)? Can I use impersonation in some fashion or establish a trust between my IIS server and the server running OWA?
Has anyone tried this before?
If you are using an iframe for that, then it is a separate process in terms of authentication. Requests from the iframe are sent to OWA server just as you had opened the page in full screen.
However, it is possible to configure your Exchange server to allow windows authentication, see here: http://support.microsoft.com/kb/300656
This way you will authenticate with windows forms authentication to your web application and with windows auth to the OWA server.
I think you would have to have the Windows authentication be the authentication source for the website - or at least map accounts in the website to accounts in OWA
DNN does something a little like this with its Active Directory security provider. Might look at the source of that for some ideas - http://dnnauthad.codeplex.com/