Using Azure AD for customer authentication

Question

We are writing an on-premise customer facing web application (.net/mvc) but want to use Azure AD as the authentication method for security reasons and also for possible future reasons. The web app will be (possibly) using forms authentication and authenticate in the controller.

We want to be able to let the customer use any email address they wish.

Is this possible? When I go to manually add someone to AzureAD I can't add someone using user1@myemail.com. We don't want to assign users email addresses in our domain.

Gina

Answer 1

You should have a look at Azure B2C (Business 2 Consumer) https://azure.microsoft.com/en-us/services/active-directory-b2c/

This enables you to create a seperate AD for external users, allowing them to register and sign up with their own email address.

This will also enable new features like Multi Factor Authentication for your external users. Also it will let you store extra properties for each user (like customerid, address, etc)

Answer 2

If you use Azure Web Apps, which supports ASP.NET MVC then you can use the Azure Active Directory authentication mechanism. Here is a blog post describing how to set it up: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/

Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. See this blog post for more details: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx

To modify the permission levels, you should be able to use role claims. See this example for guidance: https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims

Unfortunately, you can't use any email address you wish. You're going to have to associate the email addresses with the domain or you can use a Microsoft account (ie an @hotmail.com address).

If this is to complicated, you could just use forms authentication for ASP.NET which would allow you to use any email you wish. Here is an example: http://www.codeproject.com/Articles/601687/ASP-NET-MVC-Forms-Authentication-Customized

Answer 3

I don't think this is possible. Azure AD and Forms auth are not designed to work together. You are supposed to pick one or the other.

As for custom email addresses with Azure AD, you can use either email addresses in your domain or you can add Microsoft accounts as guest accounts (eg user1@outlook.com, user2@live.com, user3@hotmail.com, etc.). It's not possible to use arbitrary email addresses with Azure AD.

Based on your requirements, it sounds like Forms auth is the way to go.