Skip to content

Use Azure AD as an external identity provider

In order to authenticate users with AzureAD, you must enable and configure The OrchardCore.MicrosoftAuthentication.AzureAD (you can learn more about here) and the OrchardCore.Users.Registration features

What you will build

You will build a blog that allow users to login with their AzureAD account and get assigned roles based on the Security Groups they belong

What you will need

Follow the guide to create a new Orchard Core CMS website

An Azure Account with Azure Active Directory configured.

Login to OrchardCore Admin and enable the required Features

Navigate to https://localhost:5001/Admin/Features and enable the Microsoft Authentication Azure Active Directory and the Users Registration features

image

image

Login to Azure Portal to configure the Directory

Create the Orchard Core roles you want to manage/assign as Security Groups at Azure Portal. Copy the Object Id's as you will need it later to make the mapping.

image

Register a new application and configure authentication,

image

make sure to provide a redirect URI and enable at least ID tokens to be issued.

image

Navigate to Token configuration and add the groups token as shown below.

image

The last step is to copy Application Id and Tenant Id from Azure Portal

image

Navigate to Security/Azure Active Directory in OrchardCore Admin to configure the AzureAD app.

image

Configure registration settings

Navigate to Security/Settings/Registration and enable registration as shown

image

check Use a script to generate userName based on external provider claims and copy the following script to discover and use the user principal name as username if the user does not exist

switch (context.loginProvider) {
    case "AzureAD":
        context.externalClaims.forEach(claim => {
            if (claim.type === "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn") {
                context.userName = claim.value;
            }
        });
        if (!context.userName){
            context.userName = "azad" + Date.now().toString();
        }
    break;
    default:
        log("Warning", "Provider {loginProvider} was not handled", context.loginProvider);
    break;

also check the settings to disable asking user info on first registration

image

Configure login settings

Navigate to Security/Settings/Login and check Use a script to set user roles based on external provider claims and copy the following script

switch (context.loginProvider) {
    case "AzureAD":
        context.externalClaims.forEach(claim => {
            if (claim.type === "http://schemas.microsoft.com/ws/2008/06/identity/claims/role") {
                switch (claim.value) {
                    case "<replace AdministratorObjectId>":
                        context.rolesToAdd.push("Administrator");
                        break;
                    case "<replace ModeratorObjectId>":
                        context.rolesToAdd.push("Moderator");
                        break;
                    case "<replace EditorObjectId>":
                        context.rolesToAdd.push("Editor");
                        break;
                    case "<replace ContributorObjectId>":
                        context.rolesToAdd.push("Contributor");
                        break;
                    case "<replace AuthorObjectId>":
                        context.rolesToAdd.push("Author");
                        break;
                    default:
                        log("Warning", "Role {role} was not handled", claim.value);
                }
            }
        });
        context.userRoles.forEach(role => {
          if (!context.rolesToAdd.includes(role)){
              context.rolesToRemove.push(role);
          };
        });
        break;
    default:
        log("Warning", "Provider {provider}  was not handled",context.loginProvider);
        break;
}

Check the result

Logout from OrchardCore. Navigate to https://localhost:5001/admin and use the external provider button to login.

Login

Summary

You just integrated Azure Active Directory to the admin of your Blog! You can experiment with other login settings, such as disabling local login and challenging the AzureAD provider instead of showing the login screen.


Last update: August 6, 2020