stackoom
  简体   繁体   中英

Sync with Azure Active Directory with a multi-tenant app (receiving user notifications)

 原文  2016-05-05 13:22:19       azure/ active-directory/ single-sign-on/ azure-active-directory

Question

I've developed a feature on my web-site that allow to log-in using Azure.

So users in my web-site can sign-in using:

  • Azure (OAuth2). We're using a multi-tenant app. We're just using the application to log in users. So we don't really use the Access-Token to make requests. We just use the access-token to obtain the user email (decoding it with JWT).

  • Their own email-password they can set on my site.

This creates a problem:

Imagine an person that starts working in a company. The IT team give him an email that belongs to their azure account (with their account domain). This team also have an account on my site (configured with the same domains they use on Azure). So this user will try to log in my site using his credentials. We'll create his profile on their company account (due to the email domain). He sets his password. Sometimes he use Azure to log-in and sometimes he use his email-password to log-in.

The next month and, this person get fired. The IT team delete him from Azure. Although, the IT team forget about deleting him also on my site. So this user has permissions to sign-in with his email-password credentials and still be able to see private information (he can even delete private files).

I would like to know if there is a way to sync my app with every Directory that is using it. So I would be able to receive user action notifications (like user deletions). It would be great to receive a call to an endpoint with information about users important actions. This way we'll be able to delete the user also from our platform. So the company can forget about deleting an user on my site without having the stolen-information problem.

PS: I've seen you have a logout sync using SAML, but I wonder if we would be able to receive other kind of notifications, because we don't want to log-out the user when this logs-out from Azure.

2 answers

solution1
 0  2016-05-05 21:39:14

如果您拥有前用户租户管理员的权限来访问其目录,则可以使用Microsoft Graph API检查该用户是否已列出

solution2
 0 ACCPTED  2016-06-05 14:11:01

I've been talking with microsoft support and there is no way of having microsoft calling our endpoint to receive some notifications.

So the only solution is ask for admin permission or, having the refresh_token from Oauth2, check the user still appears on Graph ( https://graph.microsoft.com/v1.0/me ).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure Active Directory - supporting multi-tenant consented app scenario Azure Active Directory | Multi-tenant Application Azure Active Directory Multi-tenant: User doesn't exist in tenant Multi-Tenant application using Azure Active Directory Multi-Tenant Azure Active Directory application with Msal for Angular 6 Multi-tenant web app with Azure Active Directory Federated Services and External Authentication How to consent to an Azure Active Directory Enterprise App for Multi-Tenant Login without Publisher Approval during development? how to add permissions across active directory? (problems with setting up multi-tenant app in azure) Sign in by multi-tenant Azure Active Directory in Azure AD B2C How do I authenticate via Azure Active Directory with multi-tenant ASP.NET applications?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM