Custom application integration with active directory

Tarig Hamdi 1 Reputation point
2021-09-16T19:35:24.87+00:00
  1. for custom application integration with MS Identity platform, we need to understand if the authentication and authorization is maintained as an active session i.e. after user gets authenticated and authorized, what if Azure AD admin changes authorization rules or revoke access of the user? will this change be immediately reflected on the application?
  2. our developers will use MSAL SDK; will this library gives a pop up for redirecting the authentication to the customer AD?
  3. our application wants to ensure that every action user performs is validated as per the authentication and authorization rules in our Azure AD. Do we have to perform authorization check before every action or will it be taken care off by azure AD (linked with question 1).
  4. what is the capacity of the MS identity platform? We are expecting thousands of concurrent users performing 100s of actions.
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Identity Manager
{count} votes

2 answers

Sort by: Most helpful
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2021-10-01T22:10:25.2+00:00

    Hi @Tarig Hamdi , I'm sorry for the delay in response! I'll try to answer all your questions at once. If you have any follow up questions please post back here. For 1 and 3, if you're using SSO Azure will handle this for you. It manages all active sessions with a single authorization token. For 2, you can choose to have a popup here. For 4, you should have no problem doing this. This platform is used by many fortune 500 companies with millions of users!

    Please let me know if you have any questions!

    If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,
    James

    0 comments No comments

  2. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2021-10-02T07:21:51.82+00:00

    Hi @Tarig Hamdi ,

    1. When administrator revoked the user access, there could be a period between the initiation of access revocation and when access is effectively revoked.

    This is based on how tokens work:

    In case of Access token

    If user is authorized, Azure AD issue access token to access specific resource and that token by default last for 1 hour and doesn’t allow active session to expire by passing the refresh token silently .

    In case of session Token

    Once an application issues its own session token, access to the application is governed by the application's session.
    Reevaluation usually happens silently based on how application is configured and there might be chances that app never send user back to AD till session token is valid.

    For immediate effect, user need to sign out from the application and while signing again it will get invalid user in case admin has revoked its access.

    Reference : https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.