Entra ID¶
Entra ID (formerly known as Azure Active Directory, Azure AD or AAD) is a cloud-based identity and access management service provided by Microsoft.
We use Entra ID as our internal identity provider for authenticating and authorizing both employees and applications.
NAIS provides support for declarative registration and configuration of Entra ID resources. These cover these distinct use cases:
Log in employees¶
If you have an employee-facing application that requires authentication, you will need to integrate with Entra ID. NAIS simplifies this by providing a login proxy with endpoints to easily handle login, logout, and user sessions.
Your application is responsible for verifying that inbound requests have valid tokens.
Secure your API¶
To secure your API with Entra ID, you'll need to grant consumers access to your application. Once configured, your consumers can acquire a token from Entra ID to consume your API.
Your application code must verify inbound requests by validating the included tokens.
Learn how to secure your API with Entra ID
Consume an API¶
If your application needs to consume another API secured with Entra ID, you need to acquire a token.
There are two types of flows for acquiring tokens, depending on the context of the request:
Consume on behalf of employee¶
This flow is for machine-to-machine requests on behalf of an employee end-user.
To consume an API on behalf of an employee, you'll need to exchange their token for a new token:
graph LR
Consumer["User / Consumer API"] --"request with \n employee token"--> Application[Your app]
Application --1. exchange \nemployee token---> AAD["Entra ID"]
AAD --2. issue new token \nfor Other API---> Application
Application --3. use new token ---> OtherAPI["Other API"]
The new token preserves the employee's identity context and is only valid for the specific API you want to access.
Learn how to consume an API on behalf of an employee
Consume as application¶
This flow is for machine-to-machine requests without any end-user involvement.
To consume an API as the application itself, you'll need to acquire a token:
graph LR
Application["Your app"] --1. request token---> AzureAD["Entra ID"]
AzureAD --2. return token---> Application
Application --3. use token---> API["Other API"]
Learn how to consume an API as an application
Generate a token for development¶
In some cases, you want to locally develop and test against a secured API in the development environments. You will need a token to access said API.