API Management - Hands-on Lab Script

Home

Additional Topics - Azure Active Directory Integration

AAD Create a new tenant

  1. Sign in to your organization’s Azure portal.

  2. From the Azure portal menu, select Create a resource.

    Azure Active Directory Create resoure page

  3. Select Identity, and then select Azure Active Directory.

    The Create directory page appears.

    Azure Active Directory Create page

  4. On the Create directory page, enter the following information:

    • Type Contoso into the Organization name box.

    • Type Contoso into the Initial domain name box.

    • Leave the United States option in the Country or region box.

  5. Select Create.

Your new tenant is created with the domain labapimtenant.onmicrosoft.com.

AAD Create a new users and groups

Add a new user

You can create a new user using the Azure Active Directory portal.

To add a new user, follow these steps:

  1. Sign in to the Azure portal as a User administrator for the organization.

  2. Search for and select Azure Active Directory from any page.

  3. Select Users, and then select New user.

    Add a user through Users - All users in Azure AD

  4. On the User page, enter information for this user:

    • Name. Required. The first and last name of the new user. For example, Mary Parker.

    • User name. Required. The user name of the new user. For example, mary@contoso.com.

      The domain part of the user name must use either the initial default domain name, <yourdomainname>.onmicrosoft.com, or a custom domain name, such as contoso.com. For more information about how to create a custom domain name, see Add your custom domain name using the Azure Active Directory portal.

    • Groups. Optionally, you can add the user to one or more existing groups. You can also add the user to groups at a later time. For more information about adding users to groups, see Create a basic group and add members using Azure Active Directory.

    • Directory role: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see How to assign roles to users.

    • Job info: You can add more information about the user here, or do it later. For more information about adding user info, see How to add or change user profile information.

  5. Copy the autogenerated password provided in the Password box. You’ll need to give this password to the user to sign in for the first time.

  6. Select Create.

The user is created and added to your Azure AD organization.

Create a basic group and add members using Azure Active Directory

You can create a basic group using the Azure Active Directory (Azure AD) portal. For the purposes of this article, a basic group is added to a single resource by the resource owner (administrator) and includes specific members (employees) that need to access that resource. For more complex scenarios, including dynamic memberships and rule creation, see the Azure Active Directory user management documentation.

Group and membership types

There are several group and membership types. The following information explains each group and membership type and why they are used, to help you decide which options to use when you create a group.

Group types:

Membership types:

Create a basic group and add members

You can create a basic group and add your members at the same time. To create a basic group and add members use the following procedure:

  1. Sign in to the Azure portal using a Global administrator account for the directory.

  2. Search for and select Azure Active Directory.

  3. On the Active Directory page, select Groups and then select New group.

    Azure AD page, with Groups showing

  4. The New Group pane will appear and you must fill out the required information.

    New group page, filled out with example info

  5. Select a pre-defined Group type. For more information on group types, see Group and membership types.

  6. Create and add a Group name. Choose a name that you’ll remember and that makes sense for the group. A check will be performed to determine if the name is already in use by another group. If the name is already in use, to avoid duplicate naming, you’ll be asked to change the name of your group.

  7. Add a Group email address for the group, or keep the email address that is filled in automatically.

  8. Group description. Add an optional description to your group.

  9. Select a pre-defined Membership type (required). For more information on membership types, see Group and membership types.

  10. Select Create. Your group is created and ready for you to add members.

  11. Select the Members area from the Group page, and then begin searching for the members to add to your group from the Select members page.

    Selecting members for your group during the group creation process

  12. When you’re done adding members, choose Select.

    The Group Overview page updates to show the number of members who are now added to the group.

    Group Overview page with number of members highlighted

    Create user1, user2, user3 Group blue Add user1 Group green Add user1 Add user2 Add user3 Group red Add user3

AAD Register apps

Register Frontend - msal authenticate the user , obtain user group claim 
Register api management , validate jwt 
Register el backend legacy SOAP - certificate auth, networking firewall ///

Modify Frontend with AAD login

Add a view to asp.net core frontend with msal authentication

APIM configure OAUTH2 server

Add oauth2 server
Add oauth2 server to webservice
Add jwt-validate policy 
Transform, get user group claim and pass to legacy backend

Legacy Backend,

Secure using networking 

Add legacy backend to apim

Cofigure legacy webservice to apim


Home