Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Jan Vanuytrecht 32 posts 80 karma points
    Jun 30, 2015 @ 11:19
    Jan Vanuytrecht

    Azure AD Identity provider in 7.3 -> how to fully integrate withouth re-creating all accounts & linking them?


    Let me explain what I'm trying to do.

    An organisation has an AD set up in Azure.

    What they do not want to do is create the same user (let's say the company's webmaster) that is present in that AD over and over again for every company marketing website.

    That webmaster would have a pwd per website, quite a hassle etc. etc.

    So, enter the new ASP Identity providers, more specific into the AzureAD Authentication.

    What I've done is:

    • Create Empty MVC 4 Web project in VS2013
    • Install Nuget Package Umbraco CMS 7.3.0-beta
    • Install Nuget Package UmbracoCms.IdentityExtensions -Pre
    • Install Nuget Package UmbracoCms.IdentityExtensions.AzureActiveDirectory -Pre

    Then I've set the UmbracoStandardOwinStartup in the web.config like so:

    <add key="owin:appStartup" value="UmbracoStandardOwinStartup" />

    And there I added this line:

    app.ConfigureBackOfficeAzureActiveDirectoryAuth([AD Tenant], [clientId], [postbackurl],[issuer Guid]);

    Now, what I expected is that when go to the /umbraco url and click "Sign in with Active directory" that, because the link is made between Umbraco & the Azure AD tenant, all users of that tenant could log in, without extra work.

    What would we have to do to accomplish that? After successful configuration in the owin class, create a "Sync" method that creates and links those users?

    Or maybe an option to auto link all BO users to the AD? Then you would still have to create the users, but if the login matches the AD user name, the link can be made automatically?

    I must admit I'm new to this, so all help in the right direction is welcome!

    Many thanks in advance!!

  • Jan Vanuytrecht 32 posts 80 karma points
    Jun 30, 2015 @ 20:25
    Jan Vanuytrecht

    Or maybe it would be a good idea to code a "auto link" to the AD when the user successfully signs in via the "standard" login?

  • Jimmy Miloseski 2 posts 72 karma points
    Dec 03, 2015 @ 22:42
    Jimmy Miloseski

    I've managed to figure out a work around for this, its a little hacky but manages to create a user if they exist in active directory

    Modify the adOptions to the below in UmbracoADAuthExtensions.cs.

            var adOptions = new OpenIdConnectAuthenticationOptions
                SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
                ClientId = clientId,
                Authority = authority,
                RedirectUri = postLoginRedirectUri,
                Notifications = new OpenIdConnectAuthenticationNotifications
                    AuthorizationCodeReceived = async context =>
                        var userService = ApplicationContext.Current.Services.UserService;
                        var email = context.JwtSecurityToken.Claims.First(x => x.Type == "email").Value;
                        var issuer = context.JwtSecurityToken.Claims.First(x => x.Type == "iss").Value;
                        var providerKey = context.JwtSecurityToken.Claims.First(x => x.Type == "sub").Value;
                        var name = context.JwtSecurityToken.Claims.First(x => x.Type == "name").Value;
                        var userManager = context.OwinContext.GetUserManager<BackOfficeUserManager>();
                        var user = userService.GetByEmail(email);
                        if (user == null)
                            var writerUserType = userService.GetUserTypeByName("writer");
                            user = userService.CreateUserWithIdentity(email, email, writerUserType);
                        var identity = await userManager.FindByEmailAsync(email);
                        if (identity.Logins.All(x => x.ProviderKey != providerKey))
                            identity.Logins.Add(new IdentityUserLogin(issuer, providerKey, user.Id));
                            await userManager.UpdateAsync(identity);

    This will use the userService and user manager to create a new user if they dont exist and associate their active directory credentials to it.

  • James Strugnell 84 posts 192 karma points
    Dec 08, 2015 @ 13:30
    James Strugnell

    Cool, I can see myself needing this same functionality at some point. Thanks for contributing.

  • Luke 1 post 71 karma points
    Feb 10, 2016 @ 11:46

    Hey Jan,

    Great write-up!

    Would you be able to shine some light on how to setup Azure AD itself to work with this setup. I have tried number of different options and so far I keep on getting login screen.

    My AzureAD manifest -

    I have setup my AD user is assigned to my test app.


  • Shannon Deminick 1523 posts 5250 karma points MVP
    Mar 07, 2016 @ 12:33
    Shannon Deminick

    You should use the ExternalSignInAutoLinkOptions to auto-link accounts instead of implementing this logic yourself.

    Unfortunately this isn't fully documented yet but you can see here:

  • kajal_sawant 10 posts 113 karma points
    Dec 19, 2018 @ 11:39

    hello @jimmiymiloseski i am try to implement Azure AD in umbraco with your code and i got an error in GetUserTypeByName show's like

    " 'IUserService' does not contain a definition for 'GetUserTypeByName' and no accessible extension method 'GetUserTypeByName' accepting afirst argument of type 'IUserService' could be found (are you missing a using directive or an assembly reference?)"

    var writerUserType = userService.GetUserTypeByName("writer"); Can you please tell me what wrong ? Thank you.

Please Sign in or register to post replies

Write your reply to: