We have a number of API's, some of them with a React front-end, others with Angular. In these applications we use Azure AD Authentication (or nowadays, Entra ID Authentication) so each user is redirected to a Microsoft login page, where the user authenticates and with the resulted bearer token, they can request data from the API. So far so good.
In the C# API we can access these user through for example the HttpContext.User instance.
Administrators of the applications, would like to see the availability to take over other user accounts, by really logging in as that user into the application. Is this possible without rewriting the entire application (so we don't rely on HttpContext.User for example)? Is there some endpoint in the MS auth library for example, where users with specific permissions can request a bearer token which impersonates another user?
For example, I have the users:
In this case, I want to add permissions to [email protected], so he can impersonate as other users. The admin first normal authenticates with his own credentials, and gets an access token bearer1. After this, the admin indicates he wants to impersonate as [email protected], this request is posted to Microsoft and results in access token bearer2. All new calls will be done with this token and will be seen as auhtenticated as [email protected].
Is this even possible? If so, which endpoints should we use for this?
Impersonating users in Azure AD for direct user impersonation from a front-end application is not a recommended practice due to security risks. Azure AD supports administrative consent where an administrator can grant consent for all users in their organization. Additionally, consider using Microsoft Graph API's "on-behalf-of" flow for server-to-server communication, but not for direct user impersonation from a front-end application. Ensure proper scopes, permissions, and downstream API configuration. It's essential to prioritize robust role-based access controls and auditing mechanisms over direct user impersonation for security and privacy reasons.