Authentication WebAPI service that will use Azure AD and Azure B2B

Question

This isn't a specific problem question but a "cry for help". My problem is this. Our organization is in the process of implementing Office365. Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.

We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.

I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...

My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1 But create Provider for AzureAD. But then its still question about this B2B AD part.

Please help by pointing to some up to date resources..

Answer 1

You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.

Answer 2

You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.

Then you can administrate everything you want (eg which user has access to which application) within the Azure Active Directory blade from the Azure Portal.