Azure AD authentication for only a part of the application

Question

Is it possible to use Azure AD authentication for only a part of the application?

I work for a school and our team is creating a web application where some users need to sign in with their work/school account. Other users can create an individual account and sign in with that. They will use a different part of the application.

The first thing the user should see is a page where he can choose what kind of user he is. If the user is an "external user", he can sign in with his individual account. If the user is a "teacher" or "student", he can sign in with his work/school account via Azure AD.

Something like this.

Is this what "Home page URL" is for on the Azure portal under Branding? The app still immediately shows the Azure AD sign in page when I fill this in.

Or do we need to use Azure AD B2C? Or does that only work for social identities like Google, Facebook, ...?

Answer 1

You can use Azure AD and OpenID auth flow to achieve this.

More details in this question Mixing Azure AD authentication with Forms authentication

Answer 2

Is this what "Home page URL" is for on the Azure portal under Branding?

You can register multiple authentication schemes in you application , one is authentication using local database , and one is authentication using Azure AD . You should make the login page in your application not on Azure side , and has buttons to trigger diffident scheme , for example ,AAD scheme :

if (!User.Identity.IsAuthenticated)
{
     return Challenge(new AuthenticationProperties() { RedirectUri = "/" } , AzureADDefaults.AuthenticationScheme);
 }   

The simplest way is to use ASP.NET Core Identity and add Azure AD authentication as external login . Here is code sample .

For authorization part , you can manage users and roles inside local database since by default , after AAD login , identity framework will help create a local user in database , but that is also can be customized depends on your requirements . Or you can directly create policy and check the claims of users , users login from AAD or local database should have different claims .