Azure Authentication vs Exchange Token Authentication: A Comprehensive Comparison

Azure Authentication offers a robust and scalable solution for managing identities and access to cloud resources, whereas Exchange Token Authentication is primarily used for authenticating users to Exchange servers.

Both authentication methods have their own strengths and weaknesses, but Azure Authentication provides a more comprehensive and flexible solution.

Azure Authentication supports multiple authentication protocols, including OAuth, OpenID Connect, and SAML, whereas Exchange Token Authentication is mainly based on Kerberos protocol.

In practical terms, Azure Authentication is ideal for large-scale cloud deployments, whereas Exchange Token Authentication is more suited for on-premises Exchange server environments.

Azure Authentication offers various libraries to interact with Azure AD and obtain tokens, such as the Microsoft Authentication Library (MSAL), which allows secure access to Oracle databases residing in the cloud or on-premises.

For Office 365 Authentication, you have multiple options to handle authentication to the service.

To validate claims and authorize access tokens, you must check that the token is a delegated token containing an scp claim and an oid claim, which are used to identify the service and the identity, respectively.

The claimsPrincipal returned from the access token validation can be used to check and authorize the identity, but be cautious when using roles as they can be used for application tokens as well.

Non-Interactive authentication methods are useful in automation and scripting, service-to-service communication, backend services, and resource access without user presence, as seen in the following scenarios:

Microsoft Authentication Library (MSAL) is a library provided by Microsoft to interact with Azure AD and get tokens. These tokens can be securely stored in a directory and used to configure Oracle Database connection strings.

To get started with MSAL, you'll need to have the necessary prerequisites and have registered your application within Azure as described in Part 1. This will allow you to obtain tokens and connect to Oracle databases with enhanced authentication and security.

Here are some key points to consider when using MSAL:

Non-Interactive methods, like Client Credential flow, are designed for scenarios where user interaction is impractical or unnecessary. They're perfect for automation, allowing tasks to run smoothly without any human intervention.

In automation-friendly scenarios, Non-Interactive methods are a must-have. This is especially true for tasks that require access to Azure AD-secured resources, such as scheduled jobs or data synchronization processes.

Here are some key benefits of using Non-Interactive methods in automation:

Non-Interactive methods are also great for scripting and automating tasks that require access to Azure AD-secured resources. This is prevalent in scenarios such as scheduled jobs or data synchronization processes.

To configure app registration on Azure, you'll need to head to the Azure Portal and navigate to App registrations. Find your existing app registration or create a new one.

For local development, you'll typically use a redirect URI like http://localhost:7007/api/auth/microsoft/handler/frame, but for production, it's https://your-backstage.com/api/auth/microsoft/handler/frame.

On your app registration's overview page, add a new Web platform configuration. Be sure to leave the Front-channel logout Url blank.

To add permissions, click on the API permissions tab and then click on Add Permission. You'll need to add the following Delegated permission for the Microsoft Graph API: email, offline_access, openid, profile, User.Read, and any optional custom scopes defined in the app-config.yaml file.

If your company requires admin consent for these permissions, a directory admin will need to grant it by clicking on the Grant admin consent for COMPANY NAME button. Even if it's not required, granting admin consent means users won't need to individually consent the first time they access backstage.

You can reuse an existing client secret if you're using an existing app registration, or create a new one on the Certificates & Secrets page. Make a note of the client secret value as you'll need it in the next section.

Here's a quick rundown of the required permissions:

When moving to Office 365, you have various options on how to handle authentication to the service.

You can use Azure Active Directory (AAD) to authenticate users, which provides a centralized location for managing user identities and access to Office 365.

AAD integration offers a seamless authentication experience for users, allowing them to access Office 365 resources without the need for additional sign-in steps.

Office 365 also supports password-based authentication, where users enter their username and password to access the service.

However, password-based authentication can be less secure than AAD integration, as it relies on user passwords being stored securely.

Exchange token authentication, on the other hand, uses a token-based authentication mechanism to authenticate users to Office 365.

This approach can be more secure than password-based authentication, as it eliminates the need to store user passwords.

However, Exchange token authentication requires additional setup and configuration to implement correctly.

Overall, the choice of authentication method will depend on your organization's specific needs and requirements.

The OAuth 2.0 Server is a crucial component of the Azure authentication and exchange token authentication process. It validates the POST request using BASIC authentication, then checks the body of the HTTP POST request. The server must match its users to the Microsoft Entra ID users, carefully using emails or the Azure OID claim.

The server has several key responsibilities: validating the Basic authentication, validating the body of the POST request as per standard, validating the access token fully, validating the claims and doing the authorization, and generating the new access token as per standard. This process ensures that only delegated access tokens are accepted.

Here are the specific validation steps the server must take:

The ValidateTokenAndSignature method checks and validates the token. This ensures that the access token sent using the subject_token parameter is fully validated, including the signature.

The iss and the aud are validated and checked against the expected values. This is done using the well known endpoints of the Microsoft Entra ID identity provider to get the public keys of the certificate used to create the JWT token.

The returned claimsPrincipal is then used to check and authorize the identity from the access token. This involves validating that the token is a delegated token and that it contains a scp claim and an oid claim.

The scp claim is what we added to use the service, and the oid claim is used as a more trusted way of doing this. Sometimes the claims get changed using the namespaces from Microsoft, so a fallback check is added to validate both.

A new access token is created using the same certificate as the default one used by OpenIddict. This makes it possible to validate the token using the well known endpoints.

The claims are added like in the RFC specification, which provides a standard way of doing this.

Hybrid Modern Authentication (HMA) is Microsoft's answer to closing the gap in authentication options for Exchange servers.

HMA relies on Azure Active Directory for authentication client connections, providing access to features like Azure Multi-Factor Authentication and Conditional Access.

In a nutshell, HMA enables Exchange to consume tokens issued by Azure AD, allowing authentication to be performed by Azure AD or another federated solution.

To use HMA, you'll need to synchronize all your Exchange users to Azure AD and have Exchange Hybrid write-back enabled.

Here's a quick rundown of the requirements for HMA:

If you fail to meet these requirements, you won't be able to roll out HMA, and you'll be stuck with cumbersome authentication options.