ADAL.js with Multi-Tenant Azure Active Directory

2019-04-29 08:05发布

问题:

The sample code provided for using ADAL.js looks something like this:

window.config = {
    instance: 'https://login.microsoftonline.com/',
    tenant: '[Enter your tenant here, e.g. contoso.onmicrosoft.com]',
    clientId: '[Enter your client_id here, e.g. g075edef-0efa-453b-997b-de1337c29185]',
    postLogoutRedirectUri: window.location.origin,
    cacheLocation: 'localStorage',  localhost.
};
var authContext = new AuthenticationContext(config);

This works fine, but I'm trying to allow access for a multi-tenant application - users from an organisation should only be able to sign in if the application has been granted access by their account administrator.

I've implemented the first part - allowing admin users to enable - as per this example.

So at this point my application is listed in the third party's Active Directory.

I'm not sure what the correct settings should be for the tenant. I tried using 'common', but then it shows a dialog asking an individual user if they would like to grant access to the application, which is not what I'm looking for.

If I was making a straight MVC app, I'd continue on with the example above, using app.UseOpenIdConnectAuthentication on the server. But my app is a SPA, with Web Api backend, and I haven't been able to find a multi-tenant example for this scenario.

回答1:

The correct way of configuring your app for authenticating with any tenant, which is what you want in your scenario, is to use common. The per-user consent is a provisioning consideration. If you want an administrator to consent for the app on behalf of the entire organization, you can implement the admin consent flow by triggering an authentication request and appending prompt=admin_consent to it. Provided that an administrator performs an authentication flow in response to that request, Azure AD will offer to the admin the chance to consent for the app on behalf of everybody in the organization.