Azure AD and Office 365 authentication for apps

2
votes

I am learning about Azure AD and Office 365 and I am wondering if the following is possible and if so, how to go about doing it since I am confused on a few aspects with documentation:

Say a company, CompanyA, has Office 365 for users of their org. These users use Exchange/Outlook and Office to sign in (Office desktop) using their Office 365 creds.

CompanyA has Active Directory hosted internally but they are planning to use Azure AD Connect Sync to sync all objects in AD into the Azure AD so things like password changes are synced (and user objects) between the cloud and internal network.

  • Is there a way to use their Office 365 creds to log into their network systems and sync to AD or perhaps link the Azure AD to their Office 365 accounts so they can log into the computers using their Office 365 creds?

Question 2 is below (the real question I had!):

Now, there will be a custom app hosted both internally but also externally (possibly in the Azure cloud). The app could be a desktop app or a web app or some service.

Is there a way for the apps to authenticate against Azure AD/Office 365 to ensure that the user logging in (using their Office 365 creds) is successful? Is there an automated way without a popup dialog so everything is done programmatically via the API's using C#/.NET Framework?

Thanks!

1
c#azureauthenticationoffice365

1 Answers

4
votes

When you reference Office 365 credentials you are already talking about Azure AD. Every Office 365 tenant has an Azure AD instance backing that is the store for user accounts and credentials. Please sees the following article for a detailed description: https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9

You are currently the model referred to as Cloud identity. It sounds like you want move to Synchronized identity or Federated identity.

If you configure your Azure AD Connect installation to synchronize to your Office 365 tenant (by giving it a Global Admin from the tenant during setup) then you will effectively have the setup you want with premise ADDS credentials synchronized with your Office 365 (Azure AD) credentials.

However, since there is an existing tenant with accounts that you want to match with on-premse accounts, you will need to communicate this with your users in advance and also read up on how the soft matching works when synchronizing to an Azure AD with existing accounts. This KB article should get your started: https://support.microsoft.com/en-us/kb/2641663

If done properly, the end result will be as follows:

  • User accounts and password changes are managed from your on-premise AD.
  • Password changes happen on premise and are synchronized with your Azure AD accounts that are matched to premise accounts
  • You will not be able change passwords from Office 365 and have those changes reflected on-premise unless you enable Password Write-back which requires a an Azure AD Premium subscription.
  • Users will login to domain resources using their AD credentials, which match their Office 365 credentials in Azure AD

At this point you will have moved to Synchronized identity. This is required to take the next step to Federated identity so you will want to get to this stage either way. I would not take the next step to federated until you fully understand the implications of that model.

Regarding part 2 of your question, there are multiple libraries that can add authentication to Azure AD to your custom applications. This page has a list of libraries by language: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-authentication-libraries