Integrate Azure Multi-Factor-Authentication in website to authenticate its users

2
votes

I have a website (built in PHP), OS of web-server is Linux (Ubuntu) from AWS EC2,

I want to integrate Azure MFA in website to authenticate users using 2FA (2 factor authentication),

I checked this code using Node JS https://github.com/Azure-Samples/active-directory-node-webapp-openidconnect

It is a Sample app from Azure, in which a user can logged in sample app using Azure credentials, and can fetch profile information from Azure,

It worked fine for me, but:

1) It will need to add an user in Active Directory (AD) first, so can I authenticate users directly, without registering on Azure AD? Also, I have more than 3000 active users in website, will I need to register them all?

2) User completely redirected on Microsoft site during authentication process, Is there any way without redirecting, or by using some UI stuff (using popup window)?

Any help or suggestions will helpful for me,

Thanks in advance, Herry

1
azureazure-active-directorymulti-factor-authentication
Have a look on this answer and let me know if you have any more query. ThanksMd Farid Uddin Kiron
Thank you for answering, Have a question regarding user, suppose I have an user in my website with email [email protected], can I register an user with same email id in AD? so that I can link things, and in which field I should store email?Herry Shawn
In Azure Active Directory (Azure AD) B2C, you can use different types of accounts. Azure Active Directory, Azure Active Directory B2B, and Azure Active Directory B2C share in the types of user accounts that can be used you could here docs.microsoft.com/en-us/azure/active-directory-b2c/… || You could also have a look on docs.microsoft.com/en-us/azure/active-directory/b2b/… || Just make sure which one meet your requirements. Let me know if you have any more query. ThanksMd Farid Uddin Kiron
Ok, thanks a lot, I will check about Azure B2C,Herry Shawn
Thanks a lot, You can ask if you have any more query. happy coding !Md Farid Uddin Kiron

1 Answers

2
votes

1. It will need to add an user in Active Directory (AD) first?

Yeah Right you are! First you need to add your user on Azure portal then they need to authenticate while they would try to access anything in each operation.

2. Can I authenticate users directly, without registering on Azure AD?

No you cannot! For authentication you need to define a user on your azure portal first.

3. I have more than 3000 active users in website, will I need to register them all?

As you have thousand of user on your web side you can add them in a bulk operation. To avoid manual registration you could ad it using Azure PowerShell command. If you add all of your user on a CSV file you can add them up easily by following script:

having all of your user CSV file you could run this New-AzureADUser command like below format.

foreach($user in import-csv "E:\userinfo.csv") 
{ 
     Write-Host "Processing item with.. UserName="$user.DisplayName

   # Make use of variables like $user.DisplayName and so on in your commands here..
   # New-AzureADUser -DisplayName $user.DisplayName ... and so on..
}

You may have a look on referred documents for similar way in a great details here

3. User completely redirected on Microsoft site during authentication process, Is there any way without redirecting, or by using some UI stuff (using popup window)?

As you are using OpenIdConnect protocol for authentication in this flow you cannot stop redirection on Microsoft site during authentication process. But there is a way using Resource owner password credentials flow

It is not recommend to use the Resource owner password credentials flow ROPC in this scenario. It is more like phishing site if the users doesn't trust your web app.

The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code)

The redirection to the identity provider is expected when we choose a interactive flow of OAuth 2 Authorization Framework because this is how it works!

Hope it will help you to figure out your work around. Thank you!