Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service. It provides a comprehensive set of features to help you manage user identities and access to resources, including single sign-on (SSO), multi-factor authentication (MFA), conditional access, and more. In this post, we'll explore some of the key security features of Azure AD and show you how to use them in your applications.
1. Secure Access with Azure AD B2C
Azure AD B2C is a service that allows you to manage consumer identity and access for your applications. It provides a set of secure and scalable authentication and authorization features that can be used to build modern web and mobile applications. With Azure AD B2C, you can easily integrate social identity providers, such as Facebook, Google, and Twitter, and enable multi-factor authentication to increase the security of your applications.
To use Azure AD B2C in your applications, you first need to create a B2C tenant and register your application with Azure AD B2C. Once you have done this, you can use the Microsoft Authentication Library (MSAL) to authenticate users and obtain access tokens for your APIs. Here's an example of how to authenticate a user with Azure AD B2C using MSAL:
const msalConfig = {
auth: {
clientId: '<your-client-id>',
authority: 'https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-policy>',
redirectUri: 'https://localhost:3000'
}
};
const msalInstance = new Msal.UserAgentApplication(msalConfig);
msalInstance.loginPopup()
.then(response => {
console.log(response);
})
.catch(error => {
console.log(error);
});
This code uses the MSAL library to authenticate the user with Azure AD B2C using a popup window. Once the user has been authenticated, the response object contains an access token that can be used to call your APIs.
2. Secure API Access with Azure AD
Azure AD can also be used to secure access to your APIs. You can use Azure AD to authenticate users and grant them access to your APIs based on their roles and permissions. To do this, you first need to register your API with Azure AD and configure the required permissions.
Here's an example of how to secure an API with Azure AD using Node.js and the passport-azure-ad library:
const passport = require('passport');
const AzureStrategy = require('passport-azure-ad').BearerStrategy;
passport.use(new AzureStrategy({
identityMetadata: 'https://login.microsoftonline.com/<your-tenant-id>/v2.0/.well-known/openid-configuration',
clientID: '<your-client-id>',
audience: '<your-api-resource-id>'
}, (token, done) => {
// Verify the token and check the user's permissions
// ...
done(null, user);
}));
app.get('/api', passport.authenticate('oauth-bearer', { session: false }), (req, res) => {
res.send('Hello, world!');
});
New-AzureADPolicy -Definition @('{"DisplayName":"Require MFA for External Users","PolicyType":"ConditionalAccess","Mode":"All","Conditions":{"Users":{"IncludeGroups":"<your-external-users-group-id>"},"Locations":{"IncludeLocations":"OutsideTheOrganization"},"DevicePlatform":{"IncludePlatforms":"All"},"ClientAppTypes":{"IncludeApplicationTypes":"All"}},"GrantControls":{"Operator":"OR","BuiltInControls":["BlockAccess","Mfa"]},"SessionControls":{"SessionLifetimeInSeconds":3600}}') -isOrganizationDefault $false -Type "Custom"
$startDate = (Get-Date).AddDays(-7)$endDate = Get-Date$signIns = Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $startDate and createdDateTime le $endDate"foreach ($signIn in $signIns) {Write-Output "User: $($signIn.userPrincipalName), Sign-in time: $($signIn.createdDateTime), IP address: $($signIn.ipAddress)"}
