Skip to content

Use Microsoft Entra ID (Azure AD) as an external identity provider

In order to authenticate users with Microsoft Entra ID (Azure AD), you must enable and configure The OrchardCore.MicrosoftAuthentication.AzureAD (you can learn more about here) and the OrchardCore.Users.Registration features

What you will build

You will build a blog that allow users to login with their AzureAD account and get assigned roles based on the Security Groups they belong

What you will need

Follow the guide to create a new Orchard Core CMS website

An Azure Account with Microsoft Entra ID configured.

Login to OrchardCore Admin and enable the required Features

Navigate to https://localhost:5001/Admin/Features and enable the Microsoft Entra ID Authentication and the Users Registration features

image

image

Login to Azure Portal to configure the Directory

Create the Orchard Core roles you want to manage/assign as Security Groups at Azure Portal. Copy the Object Id's as you will need it later to make the mapping.

image

Register a new application and configure authentication,

image

make sure to provide a redirect URI and enable at least ID tokens to be issued.

image

Navigate to Token configuration and add the groups token as shown below.

image

On the same screen, click on Add optional claim, select ID, check email as shown below and then click Add:

image

A popup may appear to authorize the call to the Graph API. Check Turn on the Microsoft Graph email permission as shown below and then click Add:

image

The last step is to copy Application Id and Tenant Id from Azure Portal

image

Navigate to Security/Microsoft Entra ID in OrchardCore Admin to configure the AzureAD app.

image

Configure registration settings

Navigate to Security/Settings/Registration and enable registration as shown

image

check Use a script to generate userName based on external provider claims and copy the following script to discover and use the user principal name as username if the user does not exist

switch (context.loginProvider) {
    case "AzureAd":
        context.externalClaims.forEach(claim => {
            if (claim.type === "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn") {
                context.userName = claim.value;
            }
        });
        if (!context.userName){
            context.userName = "azad" + Date.now().toString();
        }
    break;
    default:
        log("Warning", "Provider {loginProvider} was not handled", context.loginProvider);
    break;
}

also check the settings to disable asking user info on first registration

image

Configure login settings

Navigate to Security/Settings/Login and check Use a script to set user roles, user claims and user properties based on external provider claims and copy the following script

switch (context.loginProvider) {
    case "AzureAd":
        context.propertiesToUpdate = {"UserProfile":{"UserProfile":{"DisplayName":"UserDisplayNameValue"}}};
        context.claimsToUpdate = [{ claimType: "DisplayName", claimValue: "UserDisplayName"}];
        context.externalClaims.forEach(claim => {
            if (claim.type === "http://schemas.microsoft.com/ws/2008/06/identity/claims/role") {
                switch (claim.value) {
                    case "<replace AdministratorObjectId>":
                        context.rolesToAdd.push("Administrator");
                        break;
                    case "<replace ModeratorObjectId>":
                        context.rolesToAdd.push("Moderator");
                        break;
                    case "<replace EditorObjectId>":
                        context.rolesToAdd.push("Editor");
                        break;
                    case "<replace ContributorObjectId>":
                        context.rolesToAdd.push("Contributor");
                        break;
                    case "<replace AuthorObjectId>":
                        context.rolesToAdd.push("Author");
                        break;
                    default:
                        log("Warning", "Role {role} was not handled", claim.value);
                }
            }
        });
        context.userRoles.forEach(role => {
          if (!context.rolesToAdd.includes(role)){
              context.rolesToRemove.push(role);
          };
        });
        break;
    default:
        log("Warning", "Provider {provider}  was not handled",context.loginProvider);
        break;
}

Check the result

Logout from OrchardCore. Navigate to https://localhost:5001/admin and use the external provider button to login.

Login

Summary

You just integrated Microsoft Entra ID to the admin of your Blog! You can experiment with other login settings, such as disabling local login and challenging the AzureAD provider instead of showing the login screen.