Example Showing Azure AD Only Application

[aherrick]

Are there any examples showing similar Auth/Graph access with Core and Azure AD Only app?

In my case I only want to login users for a given Work tenant, and don't care about the app being Converged.

Or what is the best way to restrict Auth to a given tenant? Would I still want to create a Converged App?

Thanks!

[mark-szabo]

Hi @aherrick, With the new MSAL there is no option to restrict an app to a single tenant when creating the app. If you'd like to restrict login for given tenant(s), you can add those here.

You would use something like this:

IssuerValidator = (issuer, token, tvp) =>
{
    if (issuer == "your-tenant-id-here") 
        return issuer;
    else
        throw new SecurityTokenInvalidIssuerException("Invalid issuer");
}

or if you have multiple tenants:

IssuerValidator = (issuer, token, tvp) =>
{
    if (myTenantIds.Contains(issuer)) 
        return issuer;
    else
        throw new SecurityTokenInvalidIssuerException("Invalid issuer");
}

Have a nice weekend! :)

[aherrick]

hey @mark-szabo Thanks for the answer!

I guess what I'm getting at is I don't want in available for personal accounts at all. I don't like how when I got to /Signin if I'm already authenticated I still have to click through with my Work account.

Should I really just be creating an Azure AD only applications and then setting up the Auth/Configuration that way? Are there any guides which show this? Thank you!

[jamescro]

If you don't want to limit your user base to just work/school accounts, you'll want to use the ADAL library instead of MSAL. Here is an ASP.NET Core example that uses ADAL: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore You can see a number of ASP.NET core samples that demonstrate various authentication scenarios here:

https://github.com/azure-samples/?utf8=%E2%9C%93&q=aspnetcore

[mark-szabo]

By the way, here is an earlier version of this sample using ADAL: https://github.com/microsoftgraph/aspnetcore-connect-sample/tree/6d2fcf63eefe4b61d769e4ce93050de736e0ab44

[mark-szabo]

Before switching back to ADAL, I'd try this: You can set the login_hint param to the user email address and it should redirect automatically as described in the docs:

You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during re-authentication, after already extracting the username from an earlier sign-in by using the preferred_username claim.

[aherrick]

@mark-szabo thanks for the latest thoughts!

So I believe I am implementing this correctly.. I've tried both login_hint and domain_hint. However my Work tenant is not automatically selected. I'm still presented with both Work/Personal accounts.

Any thoughts?

                OnRedirectToIdentityProvider = context =>
                {
                    // var user = System.Security.Claims.ClaimsPrincipal.Current.FindFirst("preferred_username").Value;
                    context.ProtocolMessage.LoginHint = "me@tenant.com";
                    context.ProtocolMessage.DomainHint = "tenant.com";

                    return Task.CompletedTask;
                },

From Fiddler:

[mark-szabo]

Yes, you are doing it right as I see. I've just asked it in some internal groups. If you can wait some days, I'll get back with an answer as soon as I get something.

[aherrick]

Can do - thanks again! 👍

[mark-szabo]

Hi @aherrick, it seems this is a bug in MSAL for .NET. Can you please raise an issues here? https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues Thanks!

[mark-szabo]

@aherrick we just found some (maybe) useful info for you: http://www.cloudidentity.com/blog/2016/07/25/controlling-a-web-apps-session-duration-2/

Can you please check it out?

[mark-szabo]

Closing due to inactivity. Please reopen if you have questions!