Hello @Afzal Atique ,
The short answer is , It will depend upon your application. At the IIS web server level , this is not possible as far as I know. The Azure AD authentication can be added at the application level. If your application is a ASP.net application , you can integrate Azure AD authentication with the same . Let me answer your queries one by one.
- Is it possible to configure IIS to use Azure AD for authentication ?
- No , AAD authentication can be added at the application level , There are multiple libraries for different languages available to integrate your app with Azure AD authentication. Azure AD authentication is essentially built on oAuth and native support for the same within IIS is not available.
- If we host windows VM in Azure and join it to Azure AD DS and then enable windows authentication will it authenticate against Azure AD DS ?
- This is one of the most common deployment scenario for AAD domain services. Yes you can migrate the application to the Azure cloud either configuring it on a VM in Azure or migrating the complete application virtual machine to the cloud and changing some configuration as per the application. You can then join the machine to Azure AD domain Services and enable windows authentication without a problem. You must have Password hash sync enabled for all the users from Azure AD to Azure AD domain services instance and setup correct Vnet and NSG config , and the users will be able to access the web application using single signon without a problem . Alternatively you can use Azure AD application proxy and publish this application on the cloud.
- Any alternate way via azure ad app registration to enable IIS website to use Azure AD for authentication?
- I don't think without modifying the application you will be able to achieve that . Depending upon the application you will have to integrate one of the MSAL library for adding Azure AD authentication within the same.
Hope this clarifies your query. I have included related links for more information . Please do read through them for more clarity . You can decide what solution you would like to use , you can either use Azure AD application proxy(If Password hash sync is not permitted in your environment ) or Azure AD domain services(if PHS is not a problem). Law firms and Banks try to avoid Password hash sync to cloud environments generally even though Azure is completely secure form all angles and have the largest number of regulatory compliance's . But cost and management wise Azure AD domain services is a better solution.
In case the information provided helps you , please do accept this as answer so that it can be useful to other members of the community.
Thank you.