Hi all. I have been chatting with @Lotte about how I can have our Umbraco site use an existing AzureAD user store to manage users of our site. We don't really need to have the users in the backoffice user store as the company manages users in the AAD and if someone joins or leaves the company their user account is created/deleted in AAD but we need them to able to access the secure pages based on the AAD access. @Lotte shared with me a great blog post by @Jeroen Breuer https://www.jeroenbreuer.nl/blog/virtual-members-in-umbraco/ But as they point out this is very much an experiement and I am concerned that using something experimental in a live client project isn't a great idea. SO before I commit to this or tell the client this isn't possible is there something I am missing or a best way to tackle this. Thanks all.

Just want to point out that link is for members, am not sure how Users would be have without a userId I have used this in the past for Azure logins into the back office - https://github.com/Gibe/Umbraco.Community.AzureSSO

Hey Matt. I understand this as Cliff wanting to restricting access to certain areas of the front-end using Entra ID/Azure AD, so 'members' not 'users'. And to use the 'public access' feature to be able to manage which content nodes are restricted. The good old member v user confusion 😉

Hi @Matt Wise thanks for the link and suggestion but we already have an AAD instance with user accounts that are actively managed. I need the user to login against that AAD instance and if they are valid allow them into the Umbraco pages. I don't need them to have an Umbraco account and only login via the AAD. Seems a bit of a missing ability of Umbraco especially as a DotNET tool that you can't use a 3rd party system to manage users without them being in the Umbraco database as its duplication and more importantly a security threat.

I know that Members are required to be in Umbraco, however we use Dynamics CRM accounts for member management/login with a lot of Umbraco sites I have built. We simply create an Umbraco member account which contains a guid key field against the member. We then have a custom login process which looks up the key to then validate the user against crm. So it should be possible to roll your own and store minimal information in Umbraco

Again that means you have to manage the users in two locations if they leave the business you have to delete them in two places new joiners again have to be added in two places. I like what @Jeroen Breuer has done on the blog post but I'm concerned it's experimental so was hoping someone had verified or there was another approved way. Seems a bit silly we are all rolling out own security and login systems. 😜

We have it all automated, so it is no extra work for the client they manage everything through dynamics

You could try locking down the whole web app to entra login only. On the Web App pick Authentication and then add an identity provider. Pick Microsoft and try following the wizard to add your app registration that the entra users can use. It should prompt anyone who visits the web app to be logged in with their entra account first. once logged in they can view the pages. https://cdn.discordapp.com/attachments/1221780116884160563/1222567469521305610/image.png?ex=6616afae&is=66043aae&hm=54851c65a12a2985c06378bb49055c913131b30d7b1372a076cd4de5e1f05024&