Azure /.NET Web API / Office 365- Authentication

0
votes

I am creating a web api application that will be secured using Oauth for authentication. Can I set up the authentication to be a blend of individual accounts and organizational accounts?

Scenario: One set of users belongs to an organization that uses Office 365. Another set of users may not. The ultimate goal is to allow all the users to login, but in the case of the organizational users, I will also want to allow them to integrate with the Office365 apis that are tied to their organization.

Is there a solution design that would allow me to choose where to authenticate the user - either using the application's Azure AD or the subscribing organization's AD?

1
azureauthenticationasp.net-web-apioauth-2.0

1 Answers

0
votes

For just authenticating MSAs and AAD orgs, you can use the new Microsoft Graph (http://graph.microsoft.io) - it is the unified endpoint for all Microsoft identities and for requesting access to things like mail, calendar, etc. It uses the v2 AAD endpoint (mentioned below) and app registrations are universal, so you can sign in with org or personal accounts.

You can extend that with Azure B2C as the owning directory.

  • Add Microsoft Account as an identity provider, and
  • use the v2 endpoint

at which point users could sign in with a consumer account (Facebook, Microsoft, google, whatever). By extension, since, for MSAs it uses the new v2 endpoint you can prompt users to sign in with an MSA or an org cccount - users get a prompt like this below. Note 'work or school, or personal microsoft account.'

v2 has some limitations, however: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare so make sure you can do everything you want before diving in. Some of the reply URL and on-behalf-of flows (like you'd see in APIs) have some domain/audience restrictions.

Work or school, or personal Microsoft account