multi-factor authentication (MFA) for Web App authentication with Azure AD

The customer has recently had a need to implement the end user database in a public-facing Web application with Azure AD, and it is hoped that MFA can be used for user authentication. The idea is very good, with Azure's managed service AAD, the time-consuming database operations done by Azure, and the security controls also done by Azure, and development can be integrated as long as the appropriate AAD SDK is called in code and configured accordingly. But the impression of Azure China is that it supports multi-factor authentication (MFA) only when the portal is logged on. So the question is, can customers develop their own applications to use this service? For example, can a user with a takeaway app log in to the app and be protected under MFA? Three team partners do the study together, and finally confirm that Azure China is a support for MFA for applications that integrate with AAD. Given that customers are all Java technology stacks, here Java sample code demonstrates the process of implementing multi-factor authentication (MFA) for Web App authentication with Azure AD (AAD). The whole process is divided into three parts:

• Web Apps and AAD integration
• Configure MFA

Note: For the authorization authentication process for Oauth2.0 and OpenID Connect, you can refer to the following link:https://docs.microsoft.com/en-us/azure/active-directory/ Develop/active-directory-protocols-openid-connect-code Web Apps and AAD integration

• The configuration of AAD

First we need an AAD administrator account and sign in to Azure Portal and select "Azure Active Directory" on the left side of the service menu bar. Next, register our web App with AAD. This is a web app deployed on your local computer, and the login URL is http://localhost:8080/adal4jsample/. Click on "New Application Registration", enter the following information and click Create after creating a successful need to register the application ID record, in the configuration of the next application will need to use this ID, and "need to use User assignment" This option remember to select "Yes" also, you need to set the reply URL, This URL can also be provided by the development of Web application also need to configure enable access to configure a secret key (the key must be recorded when the key value, or then back to the page key value is hidden)

Yes, you also need to note the tenant ID of the subscription. Let's just sign in with PowerShell or the Azure CLI to find out.

• Configuration of Web Apps

Integrated AAD Code (demo code can be downloaded from the following URL https://github.com/Azure-Samples/active-directory-java-webapp-openidconnect//archive/ Complete.zip) uses the Java library adal4j, which is used to implement send Signin/signout request, manage user session, get user information, source code can Https://github.com/AzureAD         /azure-activedirectory-library-for-java get. The changes required in this sample code are as follows:

1. Modify authority in \src\main\webapp\web-inf\web.xml (must be shown), tenant (the tenant ID mentioned above), CLIENT_ID (the application ID mentioned above), secret_ The value of key (the key value created above).

Before you change:

After the change:

2. Modify the method in \src\main\java\microsoft\aad\adal4jsample\aadcontroller.java getusernamesfromgraph

3. Change "graph.windows.net" to "graph.chinacloudapi.cn" in \src\main\java\microsoft\aad\adal4jsample\bascifilter.java

When all is done, pack and compile, MVN package, deploy the war pack to the native Tomcat, enter http://localhost:8080/adal4jsample in browser, get the following page

Click Secure page and the page jumps to Azure ad in China to do identity authentication,

Enter the user name and password to log in to the Web App's home page below.

Configure MFA

The next thing we want to do is add a Web app user to Azure AD, assign the user to the Web app and turn on MFA

Add user Mfauser to the AAD directory where the Web app is registered

Select the "Enable multi-factor authentication" option, where we will also receive a temporary password

Go to the Web App we registered above in the Application page and assign the newly created user to the web App

Open Browser, enter http://localhost:8080/adal4jsample/, page jump to China AAD do authentication, enter new user name and temporary password, page display requires MFA to be configured

AAD MFA can be configured with various options such as phone, SMS, mobile device, we choose authentication phone and send me a code by text message

After that, the phone will receive a short message from abroad, using the code inside to complete the final verify steps

Re-open the browser, enter the http://localhost:8080/adal4jsample/, the page jumps to the Chinese AAD to do the authentication, this time only need to give the user name, the cell phone will receive the verification code

After the authentication code is entered, the authentication is successful and the login system is normal.

coded AAD user and MFA configurationSince AAD is treated as a Web application's end user database, the addition, deletion, and MFA configuration of user data requires a programming interface to implement a small-partner experiment, and only the PowerShell implementation is found: (. eg. The Import MSONLINE V1 module (https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0) can be implemented. The code is as follows

import-Module MSOnline $username=' xxxxxx ' $password=' yyyyyyyy ' $securepassword=convertto-securestring–string $password –asplaintext–force $credentials=new-ObjectSystem.Management.Automation.PSCredential $username, $securepassword Connect-msolservice–credential $credentials $users= Get-msoluser-all |where{$_. Userprincipalname-like'*zzzzzz'} $mfausers= $users |Selectdisplayname,@{n='Email'; E={$_. userprincipalname}},@{n='strongauthenticationrequirements'; e={($_. strongauthenticationrequirements.state)}} | sort-Object strongauthenticationrequirements $nostrong= $mfausers | Where-object Strongauthenticationrequirements-like"'| select-Object displayname,email,strongauthenticationrequirements $auth= New-object-TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $auth. Relyingparty="*"$auth. State="Enabled"$auth. Rememberdevicesnotissuedbefore= (get-Date) $nostrong| Foreach {set-msoluser-userprincipalname $_. Email-strongauthenticationrequirements $auth}

Finally, the telephone and SMS platform are overseas, so they are both call and short message English

multi-factor authentication (MFA) for Web App authentication with Azure AD