How to use Microsoft Identity (Azure AD) to Authenticate Your Users

bonjour hi welcome to another video of cloud in five minutes I’m Frank Boucher and today I want to talk about identity in today’s demo I want to create an application and use Azure Active Directory and identity to authenticate and secure my application it doesn’t need to be on Azure it doesn’t need to be web but today I will create using.net core SP net MVC website and I will run it locally if you stay until the end I will show you how to use the groups in Active Directory to secure part of your app let’s get started in your favorite browser just navigate to the azure portal so portal – sure comm and what we will need to do is create a new registration to do the binding the connection between the azure active distri in our application by default and all subscription you already have an active directory so let’s go in it and we’ll go here in app registration well click so click here the new registration button and now you just need to put a name that makes sense for you you will be able to change what name you want and then you could support different account type I’ll leave all the default value for now so let’s register it takes about 1 minutes to do it’s already done and we could already start configuring our application which you could see here is that you will have multiple example to help you to get started so it will work with no GS dotnet dotnet core iOS Android and all of those for today I will stay in dotnet core now in that QuickStart documentation page I will see the schema of the end shaking between those two things and I explain me everything so I’ll explain that I need to put callback URL here it explained that I will need to use the client ID and the tenant ID so we should definitely note those so let’s do it right away client ID tenant ID so those information are also available in the overview and I if I continue to scroll down it all tells me that I need to change the startup class to use the protocol version 2 so that’s perfect and at the end so I’ll explain that to protect my controller in a spinet MVC I need to put the attribute otherwise so now let’s change the configuration I could go and change it for myself or if you’re not sure just use this button great so now the configuration attribute are done let’s see if you go in the overview page you will have your client ID and tenant ID of course here it’s mask because this is private information and you will have here the red direct URL so I need to put that one so the callback is good and also will change here the port to use 5001 because I know in that net core the default part used is five thousand one so we’ll just change that there we go and I will save it so like I told you I want to show you how to use group so let’s create a new group so in your active directory you will go in the section group so I will go here and you will create a new group our group type will be security perfect so you will be using security group and you give a name and of course put some members over there so I will just put myself I’ll just put myself in here so select so now the group is there the registration is there we are ready to go in a terminal create or.net core application so we’ll close this and open the terminal excellent in dotnet core you have done it new to create new application with a bunch of templates and parameters let’s examine the MVC template to see what else we can pass as a parameter so to do it I will use the command dotnet new MVC – – help and if I scroll back up I will see here in this section that I have a parameter here but that I can use and I will specify different type of authentication for today I will use single art but you can use many different things also if I scroll down a little I will see that I can pass my client ID and my tenant ID those are the information we found in the portal and now to create my application what I will do is use the dotnet new MVC output will be frank demo identity I will pass the single org and then I pass my client ID and my tenant ID let’s create that great now I just need to go in that folder text editor that you like I like code so I will just

use that one so individual still let’s start by the startup page not page but class will mean so here in the configuration what I will need to do just under the azure ad will add the section that was show in the documentation so ad voila so copy pasting the code from the portal in here where I specified version 2 so that’s good for now now one thing I’m gonna do is change the partial login so that will be in view and it will be login partial what I wanna do is I will change here so when I’m authenticated I wanted to check in the claims and look for the preferred username I’ll put that in the variable and that’s what I will be displaying so of course it’s complaining that missing a namespace so we’ll do that perfect so the login is done let’s go in the controllers see what else we can see in the UM controller so just like it was explained the authorize that to use is protecting my full controller meaning that to see anything on my website I will need to be authenticated that’s not really what I want I would like two people to see at least the first page and then to go in different sections I will ask them to get authenticated so what I can do for that is here just before the index that is the default page I will have a low anonymous that way everyone we’ll be able to see that specific functions great so that’s nice but of course you could leverage groups and the roles in Azure Active Directory to protect some part of your application roles are the most scalable and most stable but in Azure Active Directory from the azure portal it’s really easy to use group so if your website or application is small then you could use group what we need to do is create a new policy and that will be done in the startup class so let’s go back and start up so just here in the configuration services so here I will need to add a new policies creation so I name that one division manager and I will be looking into the group’s what now what I need is the object ID forget to take it so let’s go back in the portal and now if I go in my groups I should have my division manager showing up here and if i click on it i will have my object ID right now i’m using the portal to see that information but you could retrieve that information using as your CLI also so we’ll use that and i will paste it there this is not the best practices in terms of code quality of course you should put that in a configuration file or something like that but since it’s just a demo we’ll use that and now what I need to do is add my tag so we’ll go back in controller and protect one method with that so here let’s see index could see by everyone about let’s say when once you’re connected and contact let’s protect that one with our group so now what I need to do is put again the authorize attribute voila and I will specify my division manager group of course we could create custom attribute but since it’s just a demo I will do that it’s good enough perfect so I think we got everything now it’s time to run it so we could run the debug we could run from the terminal in visual so we’ll just go back to my main terminal and run it from there so open the terminal so let’s screen the screen perfect and now that net run to run it now let’s go back in a browser and open Anka Nemo incognito mode let’s try that perfect I’m accepting cookie so now see I’m not connected like it doesn’t recognize me I have the sign-in but I can see the homepage so that’s good now if I’m trying to go in the About section I should have a request to login exactly so now let’s go there so because it’s the first time that I don’t get it asked me the permission to read my profile and those permission are important to check depending on what you do if you’re for example querying the graph in Active Directory more permission will be listed there so but now it’s good let’s accept it perfect we are in the about page and it recognized me I see here my citation has changed just like we did in the code and now if I’m trying to go in contact it should work because I’m part of the division manager group so let’s try it what access denied oh I think yeah okay

so let’s close that I know what I need to do so back in the portal one step that I forgot to do is allow the groups to be part of the claim so I need to change my manifest so the manifest.json file is available here in the portal if I go here just in the left section manifest and now I need to group the group membership claim instead of now what I will do is I will specify security group another good value could be all in that case all groups will be show up for me I will just want security don’t forget to save now it should work let’s try again open a new incognito mode localhost accept cookies and let’s keep the suspense going about first login ok and now moment of truth can I go in the contact yay it’s working I told you as your active directory and identity are very easy to implement it’d be your solution is not running in Azure are not if you’re interested to learn more on Azure click here another video of cloud in five minutes see you next time Thanks