Authenticate against Azure Active Directory in background

0
votes

I have a ASP.net (4.5) application that currently uses Identity to authenticate a user. The user has to supply the username and password via the login page.

In addition to Identity, I would like to implement a check against Azure's Active Directory. This is due to the fact, that some users are stored in the database (validation through Identity) and other users will be stored in Azure's Active Directory.

Ideally, I would like to re-use the username/password that the user has entered already and perform the validation against Azure AD in the background.

However, reading through the Authentication Scenarios for Azure AD, I was not able to find a scenario that would fit my needs. Maybe I simply missed it or I did not understand the scenarios fully?

Is the only solution for my web application to do the redirect to Azure AD?

1
c#asp.netazure-active-directory

1 Answers

1
votes

There is a way to do what you want, but I strongly urge you not to do that.

The Resource Owner Password Credentials flow allows you to authenticate with username + password + client id + client secret.

Scott Brady's article here explains most of the points against it: https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications

The main reason I don't recommend it is because here are the scenarios where it does not work:

  1. User's password has expired
  2. User is federated (MS account or on-prem AD)
  3. User has multi-factor authentication enabled
  4. User consent is needed for permissions required by your application

So you really should redirect these users to authenticate in Azure AD.

Then if you get a valid ID token back, they have been authenticated.

Something you can do is check the database after the user has finished writing their username (e.g. via AJAX call), and if they are an Azure AD user, redirect them to login there immediately. Another is to provide a separate login button with text like "Sign in with Office 365".