Skip to main content

Setup user authentication using Azure AD

This article provides a quick start guide for setting up a username and password login store for Authress utilizing your Azure Account. Authress aggregates different user stores together and enables features that these identity providers don't provide.

This is the right integration to set up if you already have an Azure AD B2B tenant and want to enable those users to login with their Azure AD account or if you want to add a username and password store to your Authress account and are using Azure as your cloud provider.

This setup is not necessary if your users log in through SSO via their own corporate identity provider. Instead, you can directly configure their provider as an Identity Provider Connection in the Authress Management Portal.

If you are looking to enable admin login access into the Authress Management Portal using your corporate IdP see the Authress Management Portal SSO Configuration.

Creating the directory in Azure

Navigate to the Azure portal and search for Azure Active Directory.

If you already have a directory you want to use, then you can skip this step, otherwise follow the instructions below.

Select Manage Tenants at the top of the screen, and create a new tenant. Each tenant is how Azure classifies different Active Directories. Create a tenant and specify Azure Active Directory (B2C) as the tenant type.

info

Note: You want to have separate directories, one for your Azure admin to log into your Azure account, and one for your users to log into your applications. These should not be shared.

Troubleshooting directory creation

Azure Subscription Error

If you see this error while creating your new directory, the Azure subscription for you account must be updated.

Search for Subscriptions and then navigate the menus > click on your Azure Subscription name > scroll down to Resource providers > Then search for Microsoft.AzureActiveDirectory.

Click Register, and then retry the Directory creation.

Create the Azure AD B2C signup and login flow

For users that want to use username and password option we'll configure the signup and login flow in your new directory. Navigate to the Directory's User Flows > and then click on New user flow > select Sign up and sign in > Recommended > Click create. Then configure your requirements for the manual sign up flow.

New Azure application

We'll link our directory to Authress, enabling Authress to log your users in using your directory.

Click App registrations > then click New registration.

Azure new app registration

We've named our tenant Authress User Pool, and now we'll create an application in Azure. The application is the Azure side of the integration.

Configure the following settings:

  • Enable login to this application to Accounts in any identity provider or organizational directory (for authenticating users with user flows)
  • Set the Redirect type to be Web and the Redirect URI value to be your Authress Custom Domain, that value should be of the form https://login.custom-domain.com/login.

Azure new app registration

Create the Authress connection

With the Azure directory and application created, now we can start the configuration on the Authress side. We'll need the following properties:

  • OAuth 2.0 authorization endpoint
  • OAuth 2.0 token endpoint
  • Azure Application ID
  • Application secret

We'll copy each one of these to Authress, one by one.

To start we need a new Authress Connection, navigate to the Authress Management Portal connections, and click Add connection. (Note: We cannot use the preconfigured Microsoft connection).

Endpoints Urls

First we'll need to the relevant endpoint urls. These are available in the Azure App Registration screen by clicking Endpoints at the top of the screen

Azure new app endpoints

There are many endpoints here, we need specifically the Azure AD B2C OAuth 2.0 authorization endpoint (v2) and the Azure AD B2C OAuth 2.0 token endpoint (v2), they are at the top and have the form: https://POOL_NAME.b2clogin.com/POOL_NAME.onmicrosoft.com/<policy-name>/oauth2/v2.0/token.

You'll notice there is a <policy-name> property. This must be replaced with the expected user flow ID. Replace <policy-name> with the user flow ID we created in the previous step, before pasting the endpoint urls into Authress. Full values for these urls should look something like:

Copy these two values into the Authorization Url and Token Url fields in the Authress Connection, respectively.

Client ID

The client ID is found as part of the URLs can be directly copied from the app registration page's essential information:

Azure new app registration

Generate the credentials for Authress

For Authress to use your Directory, we'll need to configure credentials to secure the connection. Navigate back to Azure > App registrations > Click on the Authress integration application you just created > Select Certificates & Secrets from the left menu.

Then click New client secret, follow the prompts and copy the secret Value (Do not copy the Secret ID), an example secret is IgN8Q~OB0FDUbi_CoU.B42Xkj5Xa3rBEwYwEcaLH.

Paste the secret into the Authress connection Client secret field.

Azure configuration in Authress

Validate the configuration

Now the setup is complete and you are ready to test connection. When everything is configured correctly you'll see the test login success screen:

Correct Azure configuration in Authress