We have an intranet web application that is currently on an on-premise server using IIS with windows authentication enabled.
I have been working on changes to use the Microsoft Identity Platform so people can use their Azure AD account to log in. The idea is to still use integrated windows authentication for domain connected devices, but for non-domain connected devices it will prompt the user with a microsoft login using Microsoft Identity Platform.
What is the best way to use both? I understand the windows authentication for domain connected devices will only work for users that exist in our on-premise AD (which is synced to Azure AD of course).
Below are my concerns.
- In the past we have had no issues with non-domain devices accessing the site because the browser simply prompts for their username and password since they are not logged into windows on our domain. I don't want it to do this anymore. Instead it should prompt for their microsoft login using the Microsoft Identity Platform. My concern is that when windows authentication is enabled, that will override everything and it will try to do that for both domain and non-domain devices.
- In experimenting with Microsoft Identity Platform login, I noticed the user roles need to be passed using the object-id rather than the name of the role (we are using AD security groups for roles). I am concerned I would have to check for both the object-id and the name of the security group in order to support both types on logins. This is doable, but not ideal.
Thanks for pointing me in the right direction. The goal is for it to work like Teams and Outlook do. If someone is logged into windows on a domain connected device, it already knows who they are and when they open the application it logs them in automatically. However, if they are not they can still access their Teams and Outlook account; they just need to log in to do it.