Skip to main content

Azure Active Directory- Restrict Application Access To Users or A Group

Azure Active Directory- Restrict Application Access To Users or A Group

This article will show, how you can restrict your app for the give users/group only. Once you are done with app registrations then you can use the Enterprises Application sections to provision access to allowed users only or users existing under the group.

Azure Ad Group

Azure Active Directory offers a mechanism to use groups to manage access to cloud-based web apps, on-premises apps, and other resources. For example Software as a Service (SaaS) apps, Azure services, SharePoint sites, and on-premises resources.

See this Angular 8 App With Azure Active Directory Authentication post for the step by step registrations flow if you are not aware.

Create an Azure Ad Group (Security):

  1. Log in to the Azure portal with an administrator account if you are not admin then take help from your concern admin team. (mostly normal user can not create the group)
  2. Click on the All services item on the main menu or Find Azure Active Directory in the left panel.
  3. Choose the directory you are using for the application.
  4. Choose Groups >> New Group
  5. Choose the Group Type to Security
  6. Provide a meaning full group name
  7. Add users under the member's sections that you are going to allow to access your application
  8. Click on Create button 
Create Azure Ad Security Group

How to Configure the Application?

Follow the following steps to configure your app:
  1. Log in to the Azure portal with your account(an administrator account will be required but you can take help from your Cloud Admin/DevOps Team) or as an owner of the app under Enterprise apps.
  2. Click on the All services item on the main menu or Find Azure Active Directory in the left panel.
  3. Choose the directory you are using for the application.
  4. Click on the Enterprise applications tab.
  5. Select your application from the list of applications associated with this directory.
  6. Click the Properties tab.
  7. Change the User assignment required? toggle to Yes.
  8. Click the Save button at the top of the screen.
user-assignment-required


Assign Group to App


  1. To assign group(s) to an application directly, follow the steps below:
  2. Open the Azure portal and sign in as a Global Administrator or as a non-admin application owner with an Azure AD Premium license assigned is required
  3. Select  “Azure Active Directory”  in Left Panel to open.
  4. Click Enterprise Applications from the Azure Active Directory left-hand navigation menu.
  5. Click All Applications to view a list of all your applications and filter  with your app name
  6. Select the application you want to assign a user to from the list.
  7. Click Users and Groups from the application’s left-hand navigation menu.
  8. Click the Add button on top of the Users and Groups list to open(filter your group name) the Add Assignment pane.
  9. Click the Users and groups selector from the Add Assignment pane.


Group assignment


Grant tenant-wide admin consent to an application :

Admin consent will be required because the application will be reading the user profile on behalf of the user. Only Global admin can grant the admin consent.
Visit MSDN for more information around the Admin consent.

Comments

Popular posts from this blog

Azure key vault with .net framework 4.8

Azure Key Vault  With .Net Framework 4.8 I was asked to migrate asp.net MVC 5 web application to Azure and I were looking for the key vault integrations and access all the secrete out from there. Azure Key Vault Config Builder Configuration builders for ASP.NET  are new in .NET Framework >=4.7.1 and .NET Core >=2.0 and allow for pulling settings from one or many sources. Config builders support a number of different sources like user secrets, environment variables and Azure Key Vault and also you can create your own config builder, to pull in configuration from your own configuration management system. Here I am going to demo Key Vault integrations with Asp.net MVC(download .net framework 4.8). You will find that it's magical, without code, changes how your app can read secretes from the key vault. Just you have to do the few configurations in your web config file. Prerequisite: Following resource are required to run/complete this demo · ...

How to Make a Custom URL Shortener Using C# and .Net Core 3.1

C# and .Net Core 3.1:  Make a Custom URL Shortener Since a Random URL needs to be random and the intent is to generate short URLs that do not span more than 7 - 15 characters, the real thing is to make these short URLs random in real life too and not just a string that is used in the URLs Here is a simple clean approach to develop custom solutions Prerequisite:  Following are used in the demo.  VS CODE/VISUAL STUDIO 2019 or any Create one .Net Core Console Applications Install-Package Microsoft.AspNetCore -Version 2.2.0 Add a class file named ShortLink.cs and put this code: here we are creating two extension methods. public   static   class   ShortLink {      public   static   string   GetUrlChunk ( this   long   key ) =>            WebEncoders . Base64UrlEncode ( BitConverter . GetBytes ( key ));      public   static   long   GetK...

Azure Logic Apps Send Email Using Send Grid Step by Step Example

Azure Logic Apps Send Email Using Send Grid Step by Step     Step 1- Create Send Grid Account Create a SendGrid Account  https://sendgrid.com/ Login and Generate Sendgrid Key and keep it safe that will be used further to send emails You can use Free service. it's enough for the demo purpose Step 2- Logic App Design Login to  https://portal.azure.com Go to Resources and Create Logic App Named "EmailDemo" Go To Newly Created Rosoure Named "EmailDemo" and Select a Trigger "Recurrence", You can choose according to your needs like HTTP, etc. Note* Without trigger you can not insert new steps or Actions Click on Change Connection and add Send Grid Key  Click on Create and Save Button on the Top. As we have recurrence so it will trigger according to our setup(every 3 months) so just for the test click on "RUN" button  Finally, you should get an email like below one: