I have an requirement to implement both Azure B2C and B2B in a single application where B2C is used to login/signup, after user's login/signup the B2B is used to get Microsoft Intune Access??? is that possible to implement this flow?? any help will be appreciated.
Yes you can add multiple providers to most applications, for example if you use API's and azure functions or webapps etc, this can done either with EasyAuth or in your own code.
In simple terms you end up adding AAD as one provider and B2C as a second provider, meaning that your application will trust tokens from both services and then you go from there.
Related
We plan to use Azure AD for our workforce users. We also have few applications for our customers. The sales team usually reaches out to a specific team who creates customer accounts to our current environment.
Few questions:
a. Is Azure AD B2C right to use for the customer applications? What I mean is should we use B2C only when the application is like a shopping application or something where we talk about huge number of users who self-registers and perform all activities.
b. We do not need self-registration, but we want our customers to verify and confirm their email address. How do we achieve that?
c. Does Azure AD B2C support accepting terms and conditions at the time of login? I know Azure AD conditional access policy does.
d. If an on-prem application supports OAuth 2.0, is there anything still need to be updated in the app to integrate with Azure AD B2C? Is the integration approach any different than Azure AD?
e. Can we have more than one application in one Azure AD B2C tenant? Can we have separate sign-up or sign-in flow for individual applications?
f. Is there a way to sync password from Azure AD B2C to a LDAP server? we want to use Azure AD B2C SSPR.
a) B2C is designed for any non-corporate application i.e. users are not domain-joined. The number of users doesn't matter.
For what follows, you need to use custom policies.
b) Yes, you can have a sign-up flow that simply asks for email and verifies it.
c) Yes, see here. There are a number of samples there. Well worth looking at.
d) It depends on what OAuth stack the on-premises app. uses. Ideally, the app. would use the MSAL stack. It's similar to Azure AD but there is an extra parameter for the policy.
e) Yes and yes.
f) Yes, you can call a REST API that talks to the LDAP server. However, the out of the box B2C SSPR resets the password in B2C. Not sure why you need LDAP? B2C does not support AAD Connect.
We're considering to use Azure AD B2B OR B2C for SSO service. We will not be using Azure B2B built-in SSO login page OR B2C custom-policies based login page. We've our own custom login JSP page that we plan to use MSAL Graph APIs for calling Azure AD authentication services.
Questions:
Is this MSAL APIs applicable to B2C only, or can we use this with B2B tenant application as well? All the documents and guidance that I can take as an example uses B2C tenant app only.
If I am using MSAL OAuth 2.0 authentication services for my custom login page, I assume we don't need to rely on SAML SSO configuration. Or would it be possible to use mix of these services (i.e. SAML for basic login authentication, MSAL OAuth2.0 calls for self service account registration)?
I appreciate if anyone can shed some light on this.
Thanks.
B2B and B2C serve two different purposes. B2B is meant for you to use to invite external federated users to your directory using their own credentials whereby you can assign them access directly to your resources. On the other hand, B2C is a separate directory where you allow users to register, optionally using their own credentials from federated providers as well. If your aim is to SSO to a local AzureAD protected resource, then clearly you're going to have to tell that resource to use the B2C directory as an IdP as well. Hence, B2B is much simpler for SSO, but a big differentiator is scale. If you plan to invite a massive number of users, then this it is not a good idea to user B2B.
MSAL uses standard protocols such as OAuth 2.0 and OIDC to authenticate directly to any supported IdP, including Azure AD or Azure AD B2C. Being a guest user or not has no bearing on that process. It is also important to mention that B2C does require either a User Flow or a Custom Policy to function.
So to answer your questions to the best of my ability:
1- MSAL libraries work similarly for both Azure AD and Azure AD B2C. There may be some configuration differences in case of B2C to supply additional information regarding the policy name, etc. But they work all the same.
2- MSAL itself does not support SAML authentication. For that you'll need a library which can perform SAML authentication. While Azure AD supports SAML natively, Azure AD B2C requires you to setup a custom policy to configure SAML authentication.
I have an ASP.Net core web application and integrated authentication using the Azure AD B2C Tenant/Application. I'm able to authenticate and get the user claims in my web application.
But what I additionally want is to allow only certain customer users access the web application. I want to do this at the B2C Tenant itself. Right now any B2C customer user can sign in. Any help, ideas, insight will be appreciated.
You may know there is an Manage user assignment for an app feature in Azure Active Directory. But it's not available in Azure B2C.
Currently the recommended way to control the access in Azure B2C is defining custom attributes and check the claims in token.
If the expected claim is included, you allow the user to continue.
I have an Azure AD B2C tenant and with that i have implemented sign-in/sign-up flow in multiple applications and all are hosted.
In those applications some premium applications are restricted which means who bought some membership from our portal can only access it but the problem is whoever registered with our other applications (via AD B2C) can able to access the premium applications too.
The B2C tenant allows all users to access all applications. How to restrict some users who not having our membership from accessing premium applications?
Note:
In Azure AD, Enterprise Application option used for Role Based Authorization but i dont see equivalent option in AD B2C.
With built-in user flows you'd probably have to do the check in the app itself. With custom policies, you could implement a validation technical profile to the login flow. But going to custom policies just for that isn't worth it in my opinion.
As juaans mentioned, there is no direct way in built-in user flows. But there is a way which can make it easier. If the membership is stored as a custom attribute, the apps get the membership in a claim in the token. Once you have it in the token, its a very simple check in the authorization layer of the app. I am assuming app will be implementing some authorization for sure.
Is there any way to restrict the user login from two different devices?
Unfortunately, Azure AD B2C cannot do this.
I understand why do you need this. But I think it should be configured in your Application ,not Azure AD B2C. For example, you can let your Application get the users' deviceIDs and restrict them can login from one device.
Actually, Azure AD B2C can do cloud identity management, so it cannot collect more information from users. For the security and private policy, Azure AD B2C may not have very powerful features.
Hope this helps!