How to use Microsoft Identity (Azure AD) to Authenticate Your Users

How to use Microsoft Identity (Azure AD) to Authenticate Your Users


bonjour hi welcome to another video of
cloud in five minutes I’m Frank Boucher and today I want to talk about identity in today’s demo I want to create an
application and use Azure Active Directory and identity to authenticate
and secure my application it doesn’t need to be on Azure it doesn’t need to
be web but today I will create using.net core SP net MVC website and I will run
it locally if you stay until the end I will show you how to use the groups in
Active Directory to secure part of your app let’s get started in your favorite
browser just navigate to the azure portal so portal – sure comm and what we
will need to do is create a new registration to do the binding the
connection between the azure active distri in our application by default and
all subscription you already have an active directory so let’s go in it and
we’ll go here in app registration well click so click here the new registration
button and now you just need to put a name that makes sense for you you will
be able to change what name you want and then you could support different account
type I’ll leave all the default value for now so let’s register it takes about
1 minutes to do it’s already done and we could already start configuring our
application which you could see here is that you will have multiple example to
help you to get started so it will work with no GS dotnet dotnet core iOS
Android and all of those for today I will stay in dotnet core now in that
QuickStart documentation page I will see the schema of the end shaking between
those two things and I explain me everything so I’ll explain that I need
to put callback URL here it explained that I will need to use the client ID
and the tenant ID so we should definitely note those so let’s do it
right away client ID tenant ID so those information
are also available in the overview and I if I continue to scroll
down it all tells me that I need to change the startup class to use the
protocol version 2 so that’s perfect and at the end so I’ll explain that to
protect my controller in a spinet MVC I need to put the attribute otherwise
so now let’s change the configuration I could go and change it for myself or if
you’re not sure just use this button great so now the configuration attribute
are done let’s see if you go in the overview page you will have your client
ID and tenant ID of course here it’s mask because this is private information
and you will have here the red direct URL so I need to put that one
so the callback is good and also will change here the port to use 5001 because
I know in that net core the default part used is five thousand one so we’ll just
change that there we go and I will save it so like I told you I want to show you
how to use group so let’s create a new group so in your active directory you
will go in the section group so I will go here and you will create a new group
our group type will be security perfect so you will be using security group and
you give a name and of course put some members over there so I will just put
myself I’ll just put myself in here so select so now the group is there the
registration is there we are ready to go in a terminal create or.net core
application so we’ll close this and open the terminal excellent
in dotnet core you have done it new to create new application with a bunch of
templates and parameters let’s examine the MVC template to see what else we can
pass as a parameter so to do it I will use the command dotnet new MVC – – help
and if I scroll back up I will see here in this section that I have a parameter
here but that I can use and I will specify different type of authentication
for today I will use single art but you can use many different things
also if I scroll down a little I will see that I can pass my client ID and my
tenant ID those are the information we found in the portal and now to create my
application what I will do is use the dotnet new MVC output will be frank demo
identity I will pass the single org and then I pass my client ID and my tenant
ID let’s create that great now I just need to go in that folder text editor
that you like I like code so I will just use that one
so individual still let’s start by the startup page not page but class will
mean so here in the configuration what I will need to do just under the azure ad
will add the section that was show in the documentation so ad voila
so copy pasting the code from the portal in here where I specified version 2 so
that’s good for now now one thing I’m gonna do is change the partial login so
that will be in view and it will be login partial what I wanna do is I will
change here so when I’m authenticated I wanted to check in the claims and look
for the preferred username I’ll put that in the variable and that’s what I will
be displaying so of course it’s complaining that missing a namespace so
we’ll do that perfect so the login is done let’s go in the controllers see
what else we can see in the UM controller so just like it was explained
the authorize that to use is protecting my full controller meaning that to see
anything on my website I will need to be authenticated that’s not really what I
want I would like two people to see at least the first page and then to go in
different sections I will ask them to get authenticated so what I can do for
that is here just before the index that is the default page I will have a low
anonymous that way everyone we’ll be able to see that specific
functions great so that’s nice but of course you could leverage groups and the
roles in Azure Active Directory to protect some part of your application
roles are the most scalable and most stable but in Azure Active Directory
from the azure portal it’s really easy to use group so if your website or
application is small then you could use group what we need to do is create a new
policy and that will be done in the startup class so let’s go back and start
up so just here in the configuration services so here I will need to add a
new policies creation so I name that one division manager and I will be looking
into the group’s what now what I need is the object ID forget to take it so let’s
go back in the portal and now if I go in my groups
I should have my division manager showing up here and if i click on it i
will have my object ID right now i’m using the portal to see that information
but you could retrieve that information using as your CLI also so we’ll use that
and i will paste it there this is not the best practices in terms of code
quality of course you should put that in a configuration file or something like
that but since it’s just a demo we’ll use that and now what I need to do is
add my tag so we’ll go back in controller and protect one method with
that so here let’s see index could see by
everyone about let’s say when once you’re connected and contact let’s
protect that one with our group so now what I need to do is put again the
authorize attribute voila and I will specify my division manager group of
course we could create custom attribute but since it’s just a demo I will do
that it’s good enough perfect so I think we got everything now it’s time to run
it so we could run the debug we could run from the terminal in visual so we’ll
just go back to my main terminal and run it from there
so open the terminal so let’s screen the screen perfect and now that net run to
run it now let’s go back in a browser and open
Anka Nemo incognito mode let’s try that perfect I’m accepting cookie so now see
I’m not connected like it doesn’t recognize me I have the sign-in but I
can see the homepage so that’s good now if I’m trying to go in the About section
I should have a request to login exactly so now let’s go there so because it’s
the first time that I don’t get it asked me the permission to read my profile and
those permission are important to check depending on what you do if you’re for
example querying the graph in Active Directory more permission will be listed
there so but now it’s good let’s accept it perfect
we are in the about page and it recognized me I see here my citation has
changed just like we did in the code and now if I’m trying to go in contact it
should work because I’m part of the division manager group so let’s try it
what access denied oh I think yeah okay so let’s close that I know what I need
to do so back in the portal one step that I forgot to do is allow the groups
to be part of the claim so I need to change my manifest so the manifest.json
file is available here in the portal if I go here just in the left section
manifest and now I need to group the group membership claim instead of now
what I will do is I will specify security group another good value could
be all in that case all groups will be show up for me I will just want security
don’t forget to save now it should work let’s try again
open a new incognito mode localhost accept cookies and let’s keep the
suspense going about first login ok and now moment of truth can I go in the
contact yay it’s working I told you as your active directory and identity are
very easy to implement it’d be your solution is not running in
Azure are not if you’re interested to learn more on Azure click here another
video of cloud in five minutes see you next time
Thanks

11 thoughts on “How to use Microsoft Identity (Azure AD) to Authenticate Your Users

  1. Hi, thank you for this helpful video.

    How can I define CRUD parameters using Azure AD?
    I'm looking for managing CRUD permissions without using a DB. I found this guide in Microsoft doc that explain howto create a custom 'Authorization Handler': https://docs.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-2.2#operational-requirements but how can I add some CRUD values to my Claim? Or there is a best practice to receive CRUD informations?

    I know that I can use policy and 'Authorization Handler', but how can I define CRUD values?

  2. Hi,
    Big Thanks, this was the Simple example how to start to use Azure AD.
    Works fine on localhost.

    Can you give some advise…
    What I need to do on Azure Portal side when I deploy this.
    Now I just get an error "You do not have permission to view this directory or page."
    The app works fine on localhost.

  3. hey thanks allot for the tutorial, i just thought u should know the blured out box doesent cover the client and tennant ids properly at 2:14, might wanna fix that 😉

  4. Hey man, do you have a github with this code?
    I'm having a problem of Value cannot be null when calling an Endpoint and I'm using the same configuration in Azure Portal for Startup Class.
    I believe is something related to the appsettings.json level

  5. I am using dot net fw 4.7 and i didn't find your mentioned method in startup.cs instead i found public void Configuration(IAppBuilder app)
    {}

    could you pleas let me know how to bind groups now

  6. Thank you, Frank. Which tool are you using to cut your videos and do the instructions. It flows so smoothly with the red boxes, the blur. I love it.

  7. Thanks for this video. But I have a query about Azure Rest API calls. I want to call Rest API that has deployed an Azure tenant. And I want to call Azure Rest API in an external source such as Console application. I did and provided authentication but this application is giving 401 authentication error. I need your help if you can provide help. I would be glad full of your support. Anyone can help me.

  8. frank, are you French? lol I suspect from your Accent 🙂 lol . I speak to lot of frenchs 🙂 BTW lol you deralied from .net core commands than to AD topic

  9. Thank you so much for sharing knowledge. One humble request can create the same video for ASP.Net MVC C#

Leave a Reply

Your email address will not be published. Required fields are marked *