Securing access to a VM-based web server with Azure Active Directory

Solution 1:

There are several ways to manage authentication in Azure and especially for large organizations that use Active Directory / Azure AD directories. But for your case, you have to use exclusively Azure AD B2C (You do not need a business directory).

Since there is a bounty that requires something slightly different I will split into two parts.

  • Part 1: I want to use an authentication method via Azure with a public registration (Azure AD B2C).
  • Part 2: I want to use an authentication method via Azure with Active Directory credentials (Azure AD).

Useful information

Little reminder :

  • Active Directory = Local business directory designed by Microsoft used for years (1999) by large companies and is exclusively on permise.
  • Azure Active Directory = Modern business directory adapted to the requirements of the Cloud. It is sometimes synchronized with the local active directory to allow to be flexible between the local world and the cloud. (Office 365 is totally dependent on Azure AD.)
  • Azure Active Directory B2C = Modern user directory suitable for client registrations. It provides an identity management system with automatic registration. (I will not explain the benefits of this service compared to a classic identity management, this is not the subject, but you will easily find the information here: https://azure.microsoft.com/en-us/services/active-directory-b2c/) -> Important: This is an extension of Azure Active Directory.

About Azure Application Proxy: It is mostly used for infrastructure cases that are already accessible on permise and already using Active Directory or Azure AD authentication. This tool will get the authentication token from the outside (a kind of specific login interface) and then will provide secure remote access to the application from a public IP. In your case it is not useful, because you already have a public IP, your application is already available from the outside.

Part 1: I want to use an authentication method via Azure with a public registration (Azure AD B2C).


It is mainly a turnkey solution to manage a portfolio of users who will have a secure and complete authentication method for your web application.

1.1 How does it work?

When you created your Azure AD B2C service, it first created an Azure AD directory with the name you chose followed by the DNS suffix .onmicrosoft.com. Then he automatically linked this new directory to the Azure AD B2C service. A user who registers by email will be added to the Azure AD directory. It's your database.

From there, we consider that new users can register directly on your Azure AD directory via Azure AD B2C.

To schematize the operation quickly:

  1. The client clicks on "Connect" from your servers.
  2. Your script on your server redirects to an Azure AD B2C service URL (which usually has a DNS suffix like b2clogin.com or microsoftonline.com)
  3. From there, your client will see a page that you can freely customize proposing to connect with login / password (with / without MFA) or to register.
  4. The client clicks to login / register and Azure AD B2C returns an authentication token to your server.
  5. Your server (your code) use this token (because it communicates with Azure AD B2C via a REST API (MSAL)) and allows or not access to your application.

1.2 How do I configure it from Azure?

There are two important steps (I leave you discover other options):

Register application:

  • Simply create the configuration information to connect to the Azure AD B2C REST API from your program.
  • What to configure:
    • You have to activate the Web API
    • You must indicate a url reply:
    • This is the url of your web service that will retrieve the information transmitted by Azure AD B2C. This is where your code will validate the user authentication and can continue to navigate.
    • Any url is valid as long as you know how to recover the POST variables transmitted.
    • Image : Registering Application
    • Note the ID application that will be used to configure your script.

Create a user flow:

  • This is where you set up your strategies on what the client will see when they are on the login page.
  • What to configure:
    • You have to choose to start the option "Sign up and sign in" (you will do the others later but here is an interesting link: https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-versions).
    • Choose the identity provider "Email"
    • (You can observe the MFA here, we will come back to it later)
    • Choose the attributes you want to exploit:
    • Collect attribute = What Azure AD B2C will collect in its database.
    • Return Claim = What Azure AD B2C will return in addition to your server on the url reply.
    • Image : User Flow
  • Once realized, you will be able to prepare your web application to use it.

1.3 How do I configure it from my web application?

  • An excellent link to quickly understand what to do: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-quickstarts-spa
  • I will use the sample of this link to explain what to do.
    • In the JavaScript index.html we can see the calls to the Azure AD B2C API via the module MSAL.js.
    • MSAL = Microsoft Authentication Library: https://github.com/AzureAD/microsoft-authentication-library-for-js
    • MSAL does "all the work" to allow the redirection and the return to validate or not an authentication.
  • We can see on line 52 a variable msalConfig :
var msalConfig = {
    auth: {
        clientId: "e760cab2-b9a1-4c0d-86fb-ff7084abd902", // This is your client ID
        authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_susi", // This is your holding info
        validateAuthority: false
    }
    hidden: {
        cacheLocation: "localStorage",
        storeAuthStateInCookie: true
    }
};
  • You have to register his ClientId (which corresponds to what you previously registered on Azure AD B2C)
  • And the authority with the end of the name of your user flow, for example for me it will be: https://makoad.b2clogin.com/makoAD.onmicrosoft.com/B2C_1_Default2

    • At line 122 we have the function callApiWithAccessToken which shows how we use the token retrieved by MSAL
            headers: {
              'Authorization': 'Bearer' + accessToken,
            }
  • It's classic, the accessToken is the passport of the user to continue using your pages. From there you can invoke all GET / POST / PUT requests needed to correctly obtain the user's identity and exploit it on your pages.
  • I can give more information if needed, but I think the sample page is enough to understand.

1.4 How do I configure MFA and conditional access?

  • Unfortunately, it is not yet possible to use conditional access in the case of the MFA on Azure AD B2C.
  • Conditional access and MFA only work with Azure AD. (Azure AD will not allow registration of users publicly -> There are still techniques to do this, but it will take time)

Part 2: I want to use an authentication method via Azure with Active Directory credentials (Azure AD).


  • Work in progress. :) (It's a bit long)

Hoping it helps someone. (It's difficult to explain all things, sorry by advance to avoid some informations)

Solution 2:

There are a ton of ways to get this up, but I'll quickly go over some of the alternatives I am more familiar with.

I'll be referring to Azure Active Directory as AAD throughout this.

What is AAD

Let's quickly talk about what AAD is and is not. AAD is not Active Directory. About the only thing they have in common is the name. AAD is not LDAP, it does not support RADIUS, and it cannot act as an Active Directory endpoint for anything that requires an active directory endpoint.

AAD is a REST API based authentication service. It has support for OAuth 2, and I believe also SAML. Anything you configure will need to use these endpoints for authentication.

In a bit of irony, many of Azure's native services do not support AAD as an authentication endpoint.

Viable Options

Azure Application Gateway

This is essentially the Azure Application Proxy for services hosted on Azure. It may be the easiest solution for you to set up. It's been a while since the last time I used it, but it should support AAD authentication. There is plenty of Azure provided documentation on how to set up and configure an Application Gateway.

Azure Application Gateway Documentation

3rd-Party Authentication Proxy

If you're using Apache or nginx, or similar in front of your deployment, you can gate access to the website with a 3rd party authentication proxy like Skipper. You'll need to deploy a skipper service, and configure it to connect to an AAD OAuth endpoint for your customer.

Non-Viable Options

Azure Application Proxy

This is not intended for use with Azure hosted applications, as you mention in your question.

3rd-Party VPN Gateway

I'm not aware of any VPN servers that support OAuth or SAML as a backend mechanism. I don't think OpenVPN supports it, and it's the most commonly used VPN server. It is possible an option may exist though.

Azure VPN Gateway

If you want to Authenticate with ADD, This isn't really an option, since the Azure VPN Gateway only allows authentication by either TLS or RADIUS, neither of which are compatible with AAD. As a result, this is not a viable option.