Background:
I'm building an application where I want to use Azure AD B2C to enable consumer logins. When I have previously built applications in Azure, I would have a single "regular" Azure AD tenant, and a resource group for each environment (dev, test, prod, etc..).
I have now created an Azure AD B2C tenant for development purposes, following the guidelines here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/best-practices#operations which specify that I should create a tenant for each environment.
However, now my new B2C tenant shows up as a directory in the Azure portal, implying that I have also created a new directory.
Question:
What is the common wisdom regarding multiple B2C tenants? Should I create other dev resources in the same directory as my B2C tenant? Or should I just leave the new directory be, not interacting with it except when I need to configure my B2C tenant?
Directory = Tenant.
When you create a B2C tenant, it essentially is just a Directory. You connect dev apps to dev app registrations in the dev directory with dev users. Repeat for other envs. It is not treated like regular AAD, it is treated more like any other Azure Resource, eg a VM.
Related
I have a structural question on the Azure portal. When I create a new Azure Active Directory B2C Tenant, it forces the creation of a new directory, with new org name, paired to the subscription ID from the directory where I created the tenant. This feels incredibly disjointed to me since my Active Directory is in my parent directory. So my questions are
Is this the standard model for using Azure Active Directory B2C?
Main Directory w/ subscription
-> B2C Tenant 1 (dev)
-> B2C Tenant 2 (staging)
-> B2C Tenant 3 (prod)
If so, does that mean that I should create all resources for the environment in the B2C Tenant directory?
Can I make multiple Azure Active Directory B2C tenants in my main account, and just separate them into different resource groups for dev, staging, and prod?
Reading the documentation, everything seems to show either creating a new Tenant which creates a new directory, or "Linking" and existing Tenant. The issue with that is when you create a tenant, you MUST specify a subscription, and to "Link" a Tenant, it can not have a subscription.. and since you can't remove a subscription from a Tenant, how is this option even possible?
Any help or guidance on these points would be greatly appreciated. I've spent days reading documentation and trying to get this set up along the lines of option 2 since that's the model that exists in a client account I need to replicate, but nothing has worked.
EDIT
I see that I can click on the B2C Tenant from my main Azure Active Directory account and see it's subscription status as
An Azure subscription is required to continue receiving SLA support for External Identities```
but when I click that it takes me to the Azure AD B2C directory and I'm confronted with this image
[![enter image description here][1]][1]
but when I look at the resource in the main Azure AD directory, I see I can move subscriptions but there is **already a subscription assigned** so what does it want me to do?
[![enter image description here][2]][2]
It seems like the answer is "An Azure AD B2C directory is ONLY meant to manage the B2C tenant, and nothing else" but the only person to reply to this so far is saying that you should create all your resources in the B2C tenant directory, not the Azure Active Directory Account which has the resource group referencing the created B2C tenant.
[1]: https://i.stack.imgur.com/g3dMY.png
[2]: https://i.stack.imgur.com/72sH7.png
• When you create an Azure B2C tenant in your existing subscription, a new Azure AD directory with the name of the given Azure AD B2C tenant is created and related to it, a separate Azure AD B2C tenant/directory is also created. That is, by the name of the Azure AD B2C tenant, a normal Azure AD B2C directory is available as well as an Azure AD B2C directory/tenant is also available.
• Thus, when you create an Azure AD B2C tenant, it will be shown under you resource group in which it is assigned. Also, if you want to create a new resource in this new Azure AD B2C tenant, then you will need to link it with an existing subscription or add a new subscription to it as it functions as full-fledged separate tenant with an existing Azure AD default directory to take care of the Identity and Access Management requirements.
If so, does that mean that I should create all resources for the environment in the B2C Tenant directory?
Yes, you can separate your ‘dev, staging and prod’ B2C tenants for your convenience and create resources in it for your management purposes but you will have to link every B2C tenant with an active subscription plan so that the billing costs of the resources deployed in it are taken care of.
Can I make multiple Azure Active Directory B2C tenants in my main account, and just separate them into different resource groups for dev, staging, and prod?
Yes, you can as per the above given explanation.
Thus, for creating a new B2C tenant, you need to have an existing subscription of Azure and an existing Azure AD tenant through which you can surely create an Azure AD B2C tenant and further if you want to deploy Azure resources in it, then you can add a subscription or link an existing one.
Please find the below snapshots for your reference: -
We are running Azure AD B2C to authenticate users in our application. We also managed to codify almost everything with Terraform and are pretty happy with it. Now we are attempting to move these manifests under Azure Devops Pipelines and are stuck with access problems.
Azure Pipelines use a dedicated service principal in the main (non B2C) Active Directory to perform its operations. We granted this SP enough permissions within the target subscription to handle Terraform resources. But I cannot find any way to grant this SP any permissions on the B2C directory. I can invite users from the primary directory to the B2C, and it works fine, but SP is an application, not a user.
Is there any way to "invite" an application from the primary directory into the B2C directory?
Is there any way to "invite" an application from the primary directory
into the B2C directory?
If your app registration support account types is Accounts in any organizational directory (Any Azure AD directory - Multitenant), you would be able to add the same service principal in your Azure AD B2C Tenant
As you want to use the service principal in Azure Pipelines to handle Terraform resources, it is suggested to use separate service principals for Azure AD and Azure AD B2C as Authentication will be different for the service principal with multi-tenant account support type
I want to deploy an application on Azure. I want users to be able to authenticate in my app without a Microsoft account. This guided me to use the AAD-B2C service. I followed the tutorial shown here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant expecting that this will create a new AAD-B2C Directory in my existing Directory and tenant. I had in my mind something like the following tree:
Subscription: Pay-As-You-Go
Directory: Default
Resource Group: Default-EU
Tenants: Default, Application
User Pools: Default(Internal Users), Application(External Users)
I'm not sure I understand how this works and I'm very confused. Is it possible to use external sign-ins from users that don't have a Microsoft account without creating 2 tenants and 2 directories under my subscription?
When you create a B2C tenant, there are two completely different entities that get created - B2C Tenant Resource and B2C Tenant/Directory itself.
The B2C Tenant Resource gets created in the subscription linked to your standard Azure AD tenant (Default Directory e.g., contosocorp.onmicrosoft.com) you used to create the B2C tenant from. This resource is primarily used to change your Azure AD B2C tenant's pricing tier.
A separate tenant for your B2C directory gets created (e.g. contosob2c.onmicrosoft.com). This is an independent tenant/directory than your Default Directory and is not stored in the default tenant.
The way subscription is linked to standard Azure AD tenant is different than the B2C tenant. A subscription in B2C is required for Support, Billing, Custom Policies, and using the Identity Experience Framework. You cannot create resources for Static Web App or Function App, or Cosmos DB in the B2C tenant and you will have to use your Default Directory for this purpose.
Azure AD B2C is different from Azure AD. So, when you create Azure AD B2C, it creates another tenant
You need to create Azure AD B2C Tenant in the same subscription in which your application is deployed
Create an App Registration in your Azure AD B2C Tenant
Go to your web application and select Authentication. You can add your app registration details in the identity provider
Reference: Azure App Service Authentication (Ez Auth) with Azure AD B2C - DEV Community
I am currently using Azure AD app (Client Id and Client Secret) of one directory to get users details and Azure resources of the attached subscription though MS Graph and Azure Management API. Now i have added one more directory and subscription under my management group . I want to know if i created a multi tenant Azure AD app through App registration , can i access the users of other directory ? If yes what configurations are required ?
If you want to use a single Azure ad application to access different Azure AD directories, then you must configure the application as a multi-tenant application. Because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other Azure AD tenants. After the administrator consent, it will be added to other organization tenants as an enterprise application in. In addition, different tenants need to use different access tokens.
Following on from this question, I don't understand what the difference between an Azure Tenant, Azure Directory and Azure Active Directory.
When I log in to Azure and click my profile it lets me Switch Directory.
In my case I can switch to my company directory and also to the directory of another company where I have guest credits.
Does Directory in this context mean the same as Azure Active Directory?
The documentation says a tenant is:
Azure tenant: A dedicated and trusted instance of Azure AD that's
automatically created when your organization signs up for a Microsoft
cloud service subscription, such as Microsoft Azure, Microsoft Intune,
or Office 365. An Azure tenant represents a single organization.
So is Tenant the same as Directory in this case as well?
Yes, in this case the tenant is the same as an Azure AD. In the Azure portal you are changing Azure Active Directories when you use the Switch Directory feature. You can currently only be in the context of a single directory at a time; however, as the previous question you pointed to indicates, multiple subscriptions can be tied to a tenant/directory. So when you are in the context of a directory you'll see all the subscriptions under that tenant to which you have access to one or more resources based on security.
To be fair, I use Azure AD Tenant/Azure AD Directory interchangeably. The Portal UI calls them directories; however, the properties on resources, REST APIs, CLI commands, etc. all refer to it as a tenant.
Directory == Tenant.
When you utilize azure services, the TenantId will be requested. The TenantId is non other than the DirectoryId which can be found in the Properties tab within Azure Active Directory.
Furthermore, as answered in the link you provided:
"Subscriptions are tied to tenants. so 1 tenant can have many subscriptions, but not vice versa."
Azure Active Directory is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources
Tenant is a digital representation of the organization.
Azure Active Directory creating a directory objects in the form of tenant name. Azure Active Directory and tenants are interrelated.
In total, the Azure AD Tenant provides identity and access management (IAM) capabilities to applications and resources.
Link : https://learn.microsoft.com/en-us/microsoft-365/education/deploy/intro-azure-active-directory#what-is-an-azure-ad-tenant