Microsoft Entra ID Modern Authentication — How it works ?
This blog explains hidden steps in which the modern Authentication techniques are used with Microsoft Entra ID (Identity Provider) to authorize Native applications ,hybrid applications and use of Azure Federation Service for validation.
Context
- Keywords
- Microsoft Entra ID Authentication for Native Application
- Brief Explanation of how AD FS works with Microsoft Entra ID
- Microsoft Entra ID — Single Sign On Authentication
- Conclusion
keywords:
Microsoft Entra ID Authentication for Native Application:
what are native applications ?
The SaaS applications which are offered by Azure which are a product of microsoft itself is termed as native apps.
Example: Outlook , Teams, SharePoint (basically office 365) etc.
if you authenticate yourself with Office365 online account in browser then you were able to use the various online applications like outlook , teams , presentations, word and many more how does it happen, lets deep dive and understand those concepts below.
Scenario: 📡
KDO is a organization which maintains employee senstive information in their onPrem network they use Azure FDS along with Azure to provide access to the new joiners the organization microsoft products.
Richa is a fresher she has joined the organization KDO, her user id (email) is added as user/member of the organization in Entra ID. now she is provisioned with a laptop which has office 365 application . now for the first time she wants to log into the Teams application.
Steps: 📝
Richa Opens the teams Apps and she sees login page in which she is entering her email id which is assigned to her.
- Once she clicks on sign option .
- Her microsoft entra identity details are verified and confirmed that they belong to the organization group .
- Then, her domain is validated from AD FS. She will be asked to enter the password or if the account is of passwordless then she will authorize her ID from below process.
- Followed by microsoft two factor authentication which is set in the account level will be carried out. (Like using microsoft Auth app to validate using fingerprint and displayed number or any other conditional access which is setted up is verified)
- Completion of this step , using redirect URI , from Microsoft Entra ID — access token and refresh token along with duration of expiration is fetched (it will be stored in session storage as cookies/cache) and she will be logged into her organization teams account.
Now she logs off for the day and next day she tries to login now the steps 1 to 5 is avoided .
6. Instead the refresh token which was fetched earlier is used to renew and get new access and refresh token again.
Brief Explanation of how AD FS works with Microsoft Entra ID
Scenario: 📡
Guru is already part of KDO organization , he wants to access the SharePoint Online . he opens the browser and tries to login.
Steps: 📝
- Guru enters the email id and password in the SharePoint online
- Validation of his ID is done in Microsoft Entra for which a set of claim is sent to the Microsoft Entra ID
- Now Microsoft Entra ID sends a set of claim (like check whether the domain exist) to Azure FS to validate domain and responds back with set of results that the domain exists.
- The Token Claim (T2) is the claim between Microsoft Entra ID and AD FS.
- Once the Validation is completed from AD FS the other Conditional access policy will be checked and the request is responded back with the Access and refresh tokens etc. which is usually stored in browser session cache/cookies.
- Guru can now access the SharePoint application.
Here between Microsoft Entra ID and AD FS there is a Trust Relationship
Note: Here the Token T1 and Token T2 are independent and they are different.
Microsoft Entra ID — Single Sign On Authentication
Scenario : 📡
Praveen works in KDO organization , For a Client — his team has created Shopping application in which it has two set of integrations which is developed by two set of teams with two set of tech stack and deployed in different cloud providers. He states this requirement to internal Entra Team . They made a set up in such a way that without re-entering passwords repeatedly users can able to navigate between purchase page and payment page . How did they do it ??
Lets see it —
Consider the application is deployed to production and its actively used.
Steps : 📝
User open the browser — logs into the website .
- User enters the credentials — username and password
3. The Identity Provider (Microsoft Entra ID provides the token using OIDC )
to learn more about OIDC -> https://medium.com/@devopswithyoge/what-is-oidc-in-azure-and-how-to-use-it-in-github-actions-and-net-7a72d2933be7
4. With the access token the user now lands in the shopping page ,
5. The claims are stored as cookie in the user browser.
6. After selecting the items to purchase the user navigates to the purchase page. now instead of asking the user to re-enter the credentials with the existing credentials like client ID ,
7. From Microsoft Entra ID using SAML auth , the tokens are reterived and used.
8. Now user can use the payment facilities without any distruptions .
9. These claims are also stored in cookies , so next time when user open the payment page , the usually validation on User ID and AD FS or conditional access or MFA is ignored and straight away using refresh token the user can access the pages.
Here the user passes and authenticate himself / herself once only during the start of application . Post that the shopping and payment page are in Trusted relationship with Single Sign On (SSO) it increases seamless usage of application.
As mentioned earlier the claims for payment and shopping page are independent.
In Real Time scenarios if a organization want to provides access to multiple services/platform they use this SSO . For example , from centralized access portal they will provide links to sales force or google or even other platform where the SSO would be used so that the user no need to login in again moving from access portal to other.
Conclusion
Here I have tried to explain the background process which happens in the Identity provider (Microsoft Entra ID) so I hope with the simple scenarios you have got a better understanding .
Give it a 👏Clap if you enjoyed this content! 🤝 Don’t forget to hit that follow button for more exciting updates! Your support fuels my creativity! 🚀
References
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-adfs-saml-based-sso
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/home-realm-discovery-policy
