Is there a simple way to require AzureAD/Entra authentication without creating an Orchard User account?

[ericrrichards]

The situation I have is this:

• I have some content items that should be publicly accessible to anonymous users.
• Some content should not be publicly accessible, it should only be visible to users that authenticate themselves with their Office 365/Microsoft Entra credentials first.
• I don't want to have to create a registered Orchard User account for every user, but if they try to access a content item that is in some way marked as requiring authentication, they should be challenged to login with their organizational credentials before viewing the content.

I could probably do this client-side with some JS and the ADAL library, but that's not very secure.
I'd like to have this tied into the normal server-side Orchard AzureAD authentication, but as I understand it there is not a good way to authenticate a user without having an actual Orchard user in the database backing that up.

More or less what I want is to login the user if they have a real account, and if they don't, have a "virtual" user with the Authenticated role and a minimal subset of the identity claims returned from their AzureAD profile.

Is there an out-of-the-box way to accomplish this?

[SzymonSel]

No, not really. What you'd need to do, apart from differenciating, when to create a real user vs a virtual one, is to override the registration and authentication controllers to handle your use-cases.

[ericrrichards]

Thanks for the response, that's about what I figured looking through the source. I'm trying to stay on the happy path and not reimplement slightly tweaked versions of the base functionality, unless I really have to...

It looks like I can set up User Registration so it will seamlessly create no-role users when someone tries to login with AzureAD.
I'm not crazy about having extra users cluttering the Admin UI, but it may be useful for other things. Building some custom screens for managing just users in roles I care about is not hard.
Update some definitions of content types that had UserPickers to be more restrictive where necessary.

This (https://github.com/EtchUK/Etch.OrchardCore.ContentPermissions/) looks like a pretty decent way to handle the per-item content permissions

[SzymonSel]

I agree - using some bucket role for these 'authenticated viewer' should so the trick - combined with the mentioned by you module, to fill your needs. Enjoy! :)

[ns8482e]

You don't need authorized user to view published content if the content permission set to anonymous. Authorized user is only required for Admin access. You can implement custom authorization policy for front end without needing to create orchard user