Azure Active Directory–How to protect a Web Application without Code

In this post I would be demonstrating how to protect a web site without any code changes.

Advantages

  • High Protection Web Site will not serve any html, js, css files without Authentication  (MSAL protection causes few MSAL JS to be served to do authentication – this may be restricted by Information Security groups of Enterprise class customers)
  • Same Code can be deployed multiple places as the Authentication pieces being decoupled

Create Web Application

Create a web application of ASP.NET or Angular.

Publish to Azure

Publish to Azure so that an App Service is created.

Set the Authentication

image

Test the Application

Now you can test the application & the login prompt happens.

Note

In the background the App Service is adding Redirect URL

https://working-angular-webapi.azurewebsites.net/.auth/login/aad/callback

Client Side Applications

For client side applications, you can always refer the following URL to get the current ID Token for the Authenticated User.  It can also be used as Access Token as the Audience is same as Client ID.

https://working-angular-webapi.azurewebsites.net/.auth/me


Summary

In this post we have seen how to do No Code protection of web application using Azure Active Directory.

Azure AD Search using C#

In this post I would like to give a Sample to Search on Azure Active Directory using Filter.

Pre-Requisites

Following are the pre-requisites:

  • Create AD > App Registration & Client Credentials
  • Assign Directory.Read.All “application” permission & Provide Admin Consent

The Code

private async static void SerachAzureAD(string search)
        {
                string clientID = “YOUR-CLIENT-ID”;
                string clientSecret = “YOUR-CLIENT-SECRET”;
                string tenantID = “YOUR-AD-TENANT-ID”;

               string graphApiResource = “https://graph.microsoft.com”;
                Uri microsoftLogin = new Uri(“https://login.microsoftonline.com/”);

               string authority = new Uri(microsoftLogin, tenantID).AbsoluteUri;
                AuthenticationContext authenticationContext = new AuthenticationContext(authority);
                ClientCredential clientCredential = new ClientCredential(clientID, clientSecret);

               // Picks up the bearer token.
                AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(graphApiResource, clientCredential).Result;

               GraphServiceClient graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(
                async (requestMessage) =>
                {
                    requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“bearer”, authenticationResult.AccessToken);
                }));

               string filter = $”startswith(displayName, ‘{search}’) or startswith(givenName, ‘{search}’) or startswith(surname, ‘{search}’) or startswith(mail, ‘{search}’) or startswith(userPrincipalName, ‘{search}’)”;
                //$”$filter=displayName EQ {search}”;

               IGraphServiceUsersCollectionPage users = graphClient.Users.Request()
                    .Filter(filter)
                    .GetAsync().Result;

               Console.WriteLine(“Searching..”);

               while (users.Count > 0)
                {
                    foreach (var user in users.CurrentPage)
                    {
                        Console.WriteLine(user.DisplayName);
                    }

                   if (users.NextPageRequest != null)
                    {
                        users = await users.NextPageRequest
                            .GetAsync();
                    }
                    else
                    {
                        break;
                    }
                }

        }

Result

image

Summary

In this post we have seen how to do Azure Active Directory Search using C# & Search Filters.