Moving authentication from LDAP to Azure AD in legacy ASP.NET MVC web app
Organisations all over the world are looking to migrate business applications into the cloud to take advantage of the many benefits it provides. The productivity and security benefit an organisation can gain from having all its apps in a cloud platform such as Azure AD can be a game-changer.
What is Azure Active Directory?
Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. It is a centralized identity provider in the cloud. Microsoft identity platform simplifies authorization and authentication for application developers by providing identity as a service, with support for industry-standard protocols such as OAuth 2.0 and OpenID Connect, as well as open-source libraries for different platforms to help you start coding quickly. It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. It is the backbone of the Office 365 system, and it can sync with on-premise Active Directory.
Integrating Azure AD in existing ASP.NET MVC web application
The business requirement is to integrate Azure AD (replacing LDAP) to authenticate application users instead of the existing Windows authentication.
The existing application is configured for LDAP authentication via on-premise Active Directory. We are looking to modernize the authentication and sync our on-prem AD users to Azure AD.
The approach is to set up the authentication pipeline with session token-based authentication using OpenID Connect in ASP.NET with OWIN Middleware packages. And then use Microsoft Graph API (Azure AD Graph API) to access to Azure AD through REST API endpoints and verify user access.
Steps to register Application in Azure AD: Below are the brief steps to setup Azure tenant and register application in Azure AD
1- Login to Azure portal. Go to “Azure Active Directory” and Set up new Azure AD tenant.
2- In your newly created Azure AD tenant create new “App registrations” to register the MVC Web Application.
a. Choose “Web app/API” for Application Type. You will need this APP_ID for integration. Sign-on URL takes application redirect URL which represents.
b. Set app as single tenant
c. Set up client secret for app.
d. Set up return URL
3- Added API User/Group Read permissions for Microsoft Graph API
The changes need to be done in existing ASP.NET MVC application
1- Add Microsoft identity platform sign-in to the MVC Application. For proof of concept, an Account controller has been added for sign in and sign out purpose.
2- Authorize attribute has been added to Home controller. When user login first time, it will redirect user to Microsoft login screen. User will login with Azure AD account credentials and if authorised, a session token has been created and stored in session store.
3- Application will use the session token to authorise user access for various resources.
4- Add an Authentication Provider which will make Microsoft graph API calls to get user profile and group details of current user.
Few things need to be considered: Below are few things which needs to consider before starting integration.
1- There are two API options available Azure AD Graph and Microsoft Graph API. Microsoft is recommending Microsoft Graph API as Azure AD Graph API no longer supported.
2- Microsoft Graph API latest version is supported by .Net framework >4.6. So can use Microsoft Graph API version 1.21.0 which support .Net 4.5.
3- There are two options to make Microsoft Graph API calls are “Active Directory Client” or “Http client” to retrieve user profile and group details.
4- Microsoft Graph client are other option but authentication provider for this needs ‘Microsoft.Graph.Auth’ nuget package which is in Pre-release at the moment. Also, it needs to upgrade nuget.exe to latest version.
Conclusion:
It is a common scenario where a businesses wants to move to cloud services but still wants to continue with some of the legacy applications either because of budget constraints or time constraints. The above findings suggest that, if clients don’t have a budget to redevelop the applications or they don’t want to do it for any other reason, it is still possible to integrate Azure AD with legacy ASP.NET MVC applications and migrate them over Azure. There will be some limitations, but we can work around that if needed. For example, we can use an older version of Microsoft Graph API.
Some references:
https://docs.microsoft.com/en-us/learn/modules/msgraph-build-aspnetmvc-apps/
