question

TarigHamdi-1304 avatar image
0 Votes"
TarigHamdi-1304 asked ShwetaMathur answered

Custom application integration with active directory

  1. for custom application integration with MS Identity platform, we need to understand if the authentication and authorization is maintained as an active session i.e. after user gets authenticated and authorized, what if Azure AD admin changes authorization rules or revoke access of the user? will this change be immediately reflected on the application?

  2. our developers will use MSAL SDK; will this library gives a pop up for redirecting the authentication to the customer AD?

  3. our application wants to ensure that every action user performs is validated as per the authentication and authorization rules in our Azure AD. Do we have to perform authorization check before every action or will it be taken care off by azure AD (linked with question 1).

  4. what is the capacity of the MS identity platform? We are expecting thousands of concurrent users performing 100s of actions.

azure-active-directorymicrosoft-identity-managerazure-ad-msal
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly.

Best,
James

0 Votes 0 ·
JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @TarigHamdi-1304 , I'm sorry for the delay in response! I'll try to answer all your questions at once. If you have any follow up questions please post back here. For 1 and 3, if you're using SSO Azure will handle this for you. It manages all active sessions with a single authorization token. For 2, you can choose to have a popup here. For 4, you should have no problem doing this. This platform is used by many fortune 500 companies with millions of users!

Please let me know if you have any questions!

If this answer helped you please mark it as "Verified" so other users may reference it.

Thank you,
James


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShwetaMathur avatar image
0 Votes"
ShwetaMathur answered

Hi @TarigHamdi-1304,

  1. When administrator revoked the user access, there could be a period between the initiation of access revocation and when access is effectively revoked.

This is based on how tokens work:

In case of Access token

If user is authorized, Azure AD issue access token to access specific resource and that token by default last for 1 hour and doesn’t allow active session to expire by passing the refresh token silently .

In case of session Token

Once an application issues its own session token, access to the application is governed by the application's session.
Reevaluation usually happens silently based on how application is configured and there might be chances that app never send user back to AD till session token is valid.

For immediate effect, user need to sign out from the application and while signing again it will get invalid user in case admin has revoked its access.

Reference : https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.