Azure Active Directory (Part 1)

Using Microsoft Identity to Authenticate Users.

Microsoft Teams

Microsoft Office 365 applications including Microsoft SharePoint and Microsoft Teams use Azure Active Directory to authenticate users .

Microsoft Teams allows Guest users to be added to a Team.

Azure Active Directory is used to support the Teams Guest user feature.

In the screenshot below John Doe with email address john@doe.com is added as a Guest user.

John Doe is being added as a Guest user.

Members and guests

Once John Doe has been added to the Team his account is included in the "Members and guests" list.

John has been added as a (guest) member of the Team

Azure Active Directory Users

Switching to the Azure Portal we can see that an external (EXT) Active Directory account has been added for John Doe.

Azure Active Directory Users

Custom Web Application

We can use the same Azure Active Directory user list to authenticate users accessing a custom "Who am I" web application.

App Registration

The key step is the creation of an "application registration".

Navigate to the Azure Active Directory service and select App registrations page.

Navigate to Azure Active Directory and select App registrations

Click the "+ New registration" button

Enter the user-facing display name "who am i" in this case.
Enter the redirect uri (this is the address the user will be directed to once they have successfully entered their credentials).

We need to create a client secret

We need to take a note of these three values

Application (client) ID 63fe01c7-f396-484e-8a48-760f********
Directory (tenant) ID 1661e837-0a95-4bc6-a655-8653********
Client secret -~nGgWS3F7y~-o2etNGc0BW_ik_*******

package.json
index.js

Test the solution

To test the who-am-i web application we can navigate to http://localhost:3000

We attempt to navigate to http://localhost:3000

We are redirected to the Azure Active Directory Sign in page (unless federated identity management is enabled).

Once we have entered a correct email/username and password...

...we are asked consent to having our personal details passed to the "who am i" application (unless two factor authentication is enabled).

In this case we are redirected to "/redirect" and the name of the authenticated user is displayed

References