📮 Feature request: Azure Active Directory integration

[openbook]

Azure Active Directory authentication for 'backoffice' users is available for self hosted Umbraco installations but not for Umbraco Cloud. We'd like to use this for a Heartcore installationg, could you tell me if this feature is being considered at all (I can't see it on the roadmap)?

[sitereactor]

Hi @openbook this is in an early exploration phase right now, so don't have a time frame for it unfortunately. We are in the early stage of implementing Azure B2C in order to provide a central login experience, which we call Umbraco Id. As part of this we want to explore how we can support Azure AD as an additional option for those that have an AD which they would like to use as the identity provider for Umbraco Cloud.

If you can elaborate a bit more about your scenario and what your expectations are for such an integration that would help us understand the use case and help us in terms of planning the feature.

[sitereactor]

And I should add that this would be across all og Umbraco Cloud and for both regular Umbraco Cloud projects as well as Umbraco Heartcore projects.

[openbook]

Thanks for the information @sitereactor & thats good to hear it's being considered.

To expand on the use case, it's (hopefully) fairly simple (to describe if nothing else) in that the organisation I'm working with maintain an internal Active Directory for single sign on across their systems & would like to expand this to cover their CMS backoffice user logins.

In it's simplest form, this would mean that when users are invited to join a project as a backoffice user, the sign up form includes an option to use an existing account from an active directory which has been specified in the project setup (storing the active directory endpoints in a new admin setting).

It would also be useful to make this an optional or required setting (in the case of required - the sign up and login method is solely handled via Active Directory) & this would also be configurable via the admin user settings.

Finally, an option to enforce required Active Directory logins to specific user groups would be useful in the case where users that are external to the organisation and wouldn't have an Active Directory login, could be added to a group making use of the Umbraco login, whereas all users in the 'internal staff' group would be forced to use AD. This is possibly debatable as it introduces insecure routes into the CMS, but that could be mitigated by restricting what those users can do.

Hope that's all clear and useful.....

[PGGMTeam5]

We also have this same requirement, to be able to use Azure AD for backoffice login on our Umbraco Cloud projects..

It is almost 2 years since the original request was done - is there any progress on this, or can we expect any progress on this?

[shybzzz]

this is a very interesting feature for us, too
do you have any progress on that?

[sajumb]

Hi @PGGMTeam5 and @shybzzz,
Currently, we do not have this feature on our public roadmap (https://umbraco.com/products/roadmap/). Also I do not expect us to enable Azure AD as identity provider for Umbraco Identity this year unfortunately. We have added the feature request to our backlog and I'll make sure to notify all in this thread when we have added it to our roadmap.

[sajumb]

Just an update on the support of Azure Active Directory integration in Umbraco Cloud. We will start considering AD integration to Umbraco in Q3 of 2023. We do not have an ETA for the feature, but our ambition is that the feature is released in 2023 or in the beginning of 2024.

[mjlamb]

Yes I'd like this option also, to have Azure AD support for SSO into the back office, in the Umbraco Cloud version.

[corsini-iodigital]

Hi @sajumb!
Is there an update regarding the Azure Active Directory integration? On the roadmap it's listed in the "Later" section - does that mean around Q1 2024 as you mentioned in your last comment?

Thanks in advance!

[sajumb]

Hi @corsini-iodigital,

Unfortunately, the implementation of this feature (AD integration to the Umbraco Cloud Portal) has been postponed. While we initially hoped to target Q1 2024, our current projection is now aiming for Q3 2024.

Please note that while this is our current expectation and hope, it is not guaranteed. In the meantime, users can implement AD integration for the backoffice of their cloud project, following the guidelines and resources available for such custom implementations. See more info here: #206 (comment)

[PGGMTeam5]

@corsini-iodigital
Please take a look at: https://docs.umbraco.com/umbraco-cms/v/10.latest-lts/reference/security/authenticate-with-active-directory and
https://docs.umbraco.com/umbraco-cms/v/10.latest-lts/reference/security/auto-linking

We have implemented the Azure AD login for our Cloud projects based on this, with only two custom classes and some appsettings and configuration in Azure AD.

[sajumb]

Thank you for your input, @PGGMTeam5.

Indeed, for cloud projects focusing on Active Directory integration for backoffice user access, the process is quite straightforward, as highlighted by @PGGMTeam5.

For further reference, consider these resources:

• Umbraco's documentation on external login providers: External Login Providers in Umbraco
• A detailed guide on integrating Azure Active Directory B2C with Umbraco: Integrating Azure AD B2C with Umbraco
• Jeroen Breuer's GitHub tracker, featuring an OpenID Connect example: Umbraco OpenIdConnect Example

Please note that I will update my previous comment to clarify that AD integration into the Umbraco Cloud Portal is not currently supported.

[skidmow]

Hi, just following up on this. As I understand it, this feature is planned for release in Q1 of 2025. However, the Azure AD support is only going to be applicable for the Umbraco Back-office, not the Umbraco Cloud portal.

This is problematic for customers using Umbraco Cloud or Umbraco Heartcore in a multi-environment scenario. The reason for this is because the Umbraco Deploy propagation of structure changes to higher environments can only be done through Umbraco Cloud. See Cloud Docs and Heartcore Docs on this topic.

This means that "developers" must use Umbraco Cloud to propagate their changes across environments, which will not use Azure AD, and therefore the benefits of AD are lost. Umbraco Cloud is publicly available, so any user access will need to be audited regularly by the company using Umbraco Cloud. For small companies with few developers, this could be easy work, but for enterprise companies with 300+ developers, it's not so simple to audit and introduces unnecessary security risks.

Do we have plans to integrate the Umbraco Cloud portal with Azure AD? Should I raise a new feature request for this?

If it would be simpler, an alternative approach could be to enable structure propagation through the Umbraco Back-office using Umbraco Deploy. Many thanks