Azure Question posted in
The official documentation to get you started can be found here.

Azure – Microsoft Entra Id authentication with PassportJs

I have a website whereby I wish to authenticate users with Microsoft Entra Id (formerly Azure Ad)

However, I’ve found that the "out of the box" way that Entry Id authenticates is a bit jarring in that it opens a popup window, and has some redirection to a Microsoft domain, and then back to my website.

This is the library that I’m using to achieve this authentication:

https://www.npmjs.com/package/@azure/msal-browser

I would strongly prefer to have a simple, embedded login (username, password, submit button) which is fully enclosed by my website’s template. When I click "submit", I would call some API service on my back-end to authenticate with Entra Id, and then return an auth token back to my front-end (which is ReactJs, but I don’t think that’s important).

In other words, I’m hoping to have my login form fully embedded within my site, and without the extra redirections.

I was thinking that using PassportJs with some Entra Id package might achieve this. Here are some libraries that I found:

https://www.passportjs.org/packages/passport-azure-ad/
https://www.passportjs.org/packages/passport-azure-ad-oauth2/

I was wondering (before I dig too deep into an implementation!) if anyone knows if what I’m trying to do is even possible.

In other words:

  • Front-end, using PassportJs, calls some sort of /login or /register endpoint to my API backend
  • Back-end (nodejs) authenticates the user with Entra Id using some sort of PassportJs package
  • Front-end receives an auth token from the back-end, which is then passed as Bearer token in subsequent API calls

If it’s not possible using the libraries that I’ve linked to above, is there some other way that I might achieve this.

It’s a "hard requirement" that Entra Id is used on the back-end, so there is no getting around that.

Tags:

2

Answers


  1. 0

    What I basically understand is that you want to avoid redirection to Microsoft. To do so, you need to make a few changes in your account. Check the following official article –>https://learn.microsoft.com/en-us/answers/questions/1517432/how-to-stop-auto-redirect-to-login-microsoft-after

    Login or Signup to reply.
  2. 0

    If you want to authenticate users with Microsoft Active Directory (AD) without redirecting them to the Microsoft login page (i.e., without using OAuth or OpenID Connect redirection flows), you can achieve this using one of the following methods:

    1. LDAP Authentication

    Use LDAP (Lightweight Directory Access Protocol) to directly authenticate against your on-premises Active Directory.

    How it works:

    The user provides their username and password.

    Your application communicates with AD over LDAP to validate credentials.

    Steps:

    1. Connect to your AD server (e.g., ldap://domaincontroller.example.com).

    2. Bind using the provided credentials ([email protected] or DOMAINusername).

    3. If the bind succeeds, the credentials are valid.

    Libraries/Tools:

    For Node.js: ldapjs

    For Python: ldap3

    For .NET: System.DirectoryServices

    Note: This approach requires secure communication (e.g., LDAPS) to protect credentials during transmission.

    1. Active Directory Federation Services (ADFS) + Integrated Windows Authentication (IWA)

    If users are part of the same intranet or domain, you can leverage Integrated Windows Authentication.

    How it works:

    The user’s Windows credentials (via Kerberos or NTLM) are automatically used for authentication.

    This avoids prompting for credentials entirely.

    Setup:

    1. Configure ADFS to support IWA.

    2. Your backend verifies the Kerberos/NTLM tokens with AD.

    Libraries/Tools:

    Use the Negotiate/Kerberos authentication protocol in your server framework.

    Limitation: Works best for intranet applications where users are domain-joined.

    1. Microsoft Graph API with Service Account

    Use the Microsoft Graph API to verify user credentials indirectly.

    How it works:

    Your app receives the username and password from the user.

    Use a service account or app credentials to query Microsoft Graph and validate the user.

    Steps:

    1. Configure app registration in Azure AD.

    2. Use Graph API’s /users or /me endpoints to verify credentials indirectly.

    Security Consideration: This is less common since it involves handling raw user credentials.

    1. Direct Authentication via Secure Token Service (STS)

    Query AD directly using tools like Secure Token Services or Kerberos tokens.

    This can involve using a middle-layer authentication proxy, such as:

    Windows Authentication with IIS.

    Custom middleware that validates AD credentials.

    Key Security Considerations:

    TLS Encryption: Always secure communication with AD using LDAPS or HTTPS.

    Password Handling: Never store or log raw passwords.

    Least Privilege: Use service accounts with minimal privileges when querying AD.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search