bonjour hi welcome to another video of
cloud in five minutes I'm Frank Boucher
and today I want to talk about identity
in today's demo I want to create an
application and use Azure Active
Directory and identity to authenticate
and secure my application it doesn't
need to be on Azure it doesn't need to
be web but today I will create using.net
core SP net MVC website and I will run
it locally if you stay until the end I
will show you how to use the groups in
Active Directory to secure part of your
app let's get started in your favorite
browser just navigate to the azure
portal so portal - sure comm and what we
will need to do is create a new
registration to do the binding the
connection between the azure active
distri in our application by default and
all subscription you already have an
active directory so let's go in it and
we'll go here in app registration well
click so click here the new registration
button and now you just need to put a
name that makes sense for you you will
be able to change what name you want and
then you could support different account
type I'll leave all the default value
for now so let's register it takes about
1 minutes to do it's already done and we
could already start configuring our
application which you could see here is
that you will have multiple example to
help you to get started so it will work
with no GS dotnet dotnet core iOS
Android and all of those for today I
will stay in dotnet core now in that
QuickStart documentation page I will see
the schema of the end shaking between
those two things and I explain me
everything so I'll explain that I need
to put callback URL here it explained
that I will need to use the client ID
and the tenant ID so we should
definitely note those so let's do it
right away
client ID tenant ID so those information
are also available in the
overview and I if I continue to scroll
down it all tells me that I need to
change the startup class to use the
protocol version 2 so that's perfect
and at the end so I'll explain that to
protect my controller in a spinet MVC I
need to put the attribute otherwise
so now let's change the configuration I
could go and change it for myself or if
you're not sure just use this button
great so now the configuration attribute
are done let's see if you go in the
overview page you will have your client
ID and tenant ID of course here it's
mask because this is private information
and you will have here the red direct
URL so I need to put that one
so the callback is good and also will
change here the port to use 5001 because
I know in that net core the default part
used is five thousand one so we'll just
change that there we go and I will save
it so like I told you I want to show you
how to use group so let's create a new
group so in your active directory you
will go in the section group so I will
go here and you will create a new group
our group type will be security perfect
so you will be using security group and
you give a name and of course put some
members over there so I will just put
myself I'll just put myself in here so
select so now the group is there the
registration is there we are ready to go
in a terminal create or.net core
application so we'll close this and open
the terminal excellent
in dotnet core you have done it new to
create new application with a bunch of
templates and parameters let's examine
the MVC template to see what else we can
pass as a parameter so to do it I will
use the command dotnet new MVC - - help
and if I scroll back up I will see here
in this section that I have a parameter
here but that I can use and I will
specify different type of authentication
for today I will use single art but you
can use many different things
also if I scroll down a little I will
see that I can pass my client ID and my
tenant ID those are the information we
found in the portal and now to create my
application what I will do is use the
dotnet new MVC output will be frank demo
identity I will pass the single org and
then I pass my client ID and my tenant
ID let's create that great now I just
need to go in that folder text editor
that you like I like code so I will just
use that one
so individual still let's start by the
startup page not page but class will
mean so here in the configuration what I
will need to do just under the azure ad
will add the section that was show in
the documentation so ad voila
so copy pasting the code from the portal
in here where I specified version 2 so
that's good for now now one thing I'm
gonna do is change the partial login so
that will be in view and it will be
login partial what I wanna do is I will
change here so when I'm authenticated I
wanted to check in the claims and look
for the preferred username I'll put that
in the variable and that's what I will
be displaying so of course it's
complaining that missing a namespace so
we'll do that perfect so the login is
done let's go in the controllers see
what else we can see in the UM
controller so just like it was explained
the authorize that to use is protecting
my full controller meaning that to see
anything on my website I will need to be
authenticated that's not really what I
want I would like two people to see at
least the first page and then to go in
different sections I will ask them to
get authenticated so what I can do for
that is here just before the index that
is the default page I will have a low
anonymous that way everyone
we'll be able to see that specific
functions great so that's nice but of
course you could leverage groups and the
roles in Azure Active Directory to
protect some part of your application
roles are the most scalable and most
stable but in Azure Active Directory
from the azure portal it's really easy
to use group so if your website or
application is small then you could use
group what we need to do is create a new
policy and that will be done in the
startup class so let's go back and start
up so just here in the configuration
services so here I will need to add a
new policies creation so I name that one
division manager and I will be looking
into the group's what now what I need is
the object ID forget to take it so let's
go back in the portal and now if I go in
my groups
I should have my division manager
showing up here and if i click on it i
will have my object ID right now i'm
using the portal to see that information
but you could retrieve that information
using as your CLI also so we'll use that
and i will paste it there this is not
the best practices in terms of code
quality of course you should put that in
a configuration file or something like
that but since it's just a demo we'll
use that and now what I need to do is
add my tag so we'll go back in
controller and protect one method with
that
so here let's see index could see by
everyone about let's say when once
you're connected and contact let's
protect that one with our group so now
what I need to do is put again the
authorize attribute voila and I will
specify my division manager group of
course we could create custom attribute
but since it's just a demo I will do
that it's good enough perfect so I think
we got everything now it's time to run
it so we could run the debug we could
run from the terminal in visual so we'll
just go back to my main terminal and run
it from there
so open the terminal so let's screen the
screen perfect and now that net run to
run it
now let's go back in a browser and open
Anka Nemo incognito mode let's try that
perfect I'm accepting cookie so now see
I'm not connected like it doesn't
recognize me I have the sign-in but I
can see the homepage so that's good now
if I'm trying to go in the About section
I should have a request to login exactly
so now let's go there so because it's
the first time that I don't get it asked
me the permission to read my profile and
those permission are important to check
depending on what you do if you're for
example querying the graph in Active
Directory more permission will be listed
there so but now it's good let's accept
it perfect
we are in the about page and it
recognized me I see here my citation has
changed just like we did in the code and
now if I'm trying to go in contact it
should work because I'm part of the
division manager group so let's try it
what access denied oh I think yeah okay
so let's close that I know what I need
to do so back in the portal one step
that I forgot to do is allow the groups
to be part of the claim so I need to
change my manifest so the manifest.json
file is available here in the portal if
I go here just in the left section
manifest and now I need to group the
group membership claim instead of now
what I will do is I will specify
security group another good value could
be all in that case all groups will be
show up for me I will just want security
don't forget to save now it should work
let's try again
open a new incognito mode localhost
accept cookies and let's keep the
suspense going about first login ok and
now moment of truth can I go in the
contact yay it's working I told you as
your active directory and identity are
very easy to implement
it'd be your solution is not running in
Azure are not if you're interested to
learn more on Azure click here another
video of cloud in five minutes see you
next time
Thanks
