We are running Azure AD B2C to authenticate users in our application. We also managed to codify almost everything with Terraform and are pretty happy with it. Now we are attempting to move these manifests under Azure Devops Pipelines and are stuck with access problems.
Azure Pipelines use a dedicated service principal in the main (non B2C) Active Directory to perform its operations. We granted this SP enough permissions within the target subscription to handle Terraform resources. But I cannot find any way to grant this SP any permissions on the B2C directory. I can invite users from the primary directory to the B2C, and it works fine, but SP is an application, not a user.
Is there any way to "invite" an application from the primary directory into the B2C directory?
Is there any way to "invite" an application from the primary directory
into the B2C directory?
If your app registration support account types is Accounts in any organizational directory (Any Azure AD directory - Multitenant), you would be able to add the same service principal in your Azure AD B2C Tenant
As you want to use the service principal in Azure Pipelines to handle Terraform resources, it is suggested to use separate service principals for Azure AD and Azure AD B2C as Authentication will be different for the service principal with multi-tenant account support type
Related
Background:
I'm building an application where I want to use Azure AD B2C to enable consumer logins. When I have previously built applications in Azure, I would have a single "regular" Azure AD tenant, and a resource group for each environment (dev, test, prod, etc..).
I have now created an Azure AD B2C tenant for development purposes, following the guidelines here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/best-practices#operations which specify that I should create a tenant for each environment.
However, now my new B2C tenant shows up as a directory in the Azure portal, implying that I have also created a new directory.
Question:
What is the common wisdom regarding multiple B2C tenants? Should I create other dev resources in the same directory as my B2C tenant? Or should I just leave the new directory be, not interacting with it except when I need to configure my B2C tenant?
Directory = Tenant.
When you create a B2C tenant, it essentially is just a Directory. You connect dev apps to dev app registrations in the dev directory with dev users. Repeat for other envs. It is not treated like regular AAD, it is treated more like any other Azure Resource, eg a VM.
I want to deploy an application on Azure. I want users to be able to authenticate in my app without a Microsoft account. This guided me to use the AAD-B2C service. I followed the tutorial shown here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant expecting that this will create a new AAD-B2C Directory in my existing Directory and tenant. I had in my mind something like the following tree:
Subscription: Pay-As-You-Go
Directory: Default
Resource Group: Default-EU
Tenants: Default, Application
User Pools: Default(Internal Users), Application(External Users)
I'm not sure I understand how this works and I'm very confused. Is it possible to use external sign-ins from users that don't have a Microsoft account without creating 2 tenants and 2 directories under my subscription?
When you create a B2C tenant, there are two completely different entities that get created - B2C Tenant Resource and B2C Tenant/Directory itself.
The B2C Tenant Resource gets created in the subscription linked to your standard Azure AD tenant (Default Directory e.g., contosocorp.onmicrosoft.com) you used to create the B2C tenant from. This resource is primarily used to change your Azure AD B2C tenant's pricing tier.
A separate tenant for your B2C directory gets created (e.g. contosob2c.onmicrosoft.com). This is an independent tenant/directory than your Default Directory and is not stored in the default tenant.
The way subscription is linked to standard Azure AD tenant is different than the B2C tenant. A subscription in B2C is required for Support, Billing, Custom Policies, and using the Identity Experience Framework. You cannot create resources for Static Web App or Function App, or Cosmos DB in the B2C tenant and you will have to use your Default Directory for this purpose.
Azure AD B2C is different from Azure AD. So, when you create Azure AD B2C, it creates another tenant
You need to create Azure AD B2C Tenant in the same subscription in which your application is deployed
Create an App Registration in your Azure AD B2C Tenant
Go to your web application and select Authentication. You can add your app registration details in the identity provider
Reference: Azure App Service Authentication (Ez Auth) with Azure AD B2C - DEV Community
We have a static website in Storage account with BE in Function App.
We would like to use Azure AD for authentication.
When I register app, I can see 2 options:
Who can use this application or access this API?
Accounts in this organizational directory only (Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Issue is that Azure AD we would like to authenticate against is in different tenant.
So we want something in between Any Azure AD and THIS Azure AD.
Is there a way to achieve that?
Register the app in the different tenant directly with the Single tenant option.
The fact that the app is hosted in a subscription linked to another tenant does not matter.
You'll need someone who has a user account in the other tenant to register the app in that tenant or they need to give your user access there.
You can switch the tenant that you are looking at in Azure portal from the top-right.
Click your username -> Switch directory -> Select the tenant from the list.
I am currently using Azure AD app (Client Id and Client Secret) of one directory to get users details and Azure resources of the attached subscription though MS Graph and Azure Management API. Now i have added one more directory and subscription under my management group . I want to know if i created a multi tenant Azure AD app through App registration , can i access the users of other directory ? If yes what configurations are required ?
If you want to use a single Azure ad application to access different Azure AD directories, then you must configure the application as a multi-tenant application. Because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other Azure AD tenants. After the administrator consent, it will be added to other organization tenants as an enterprise application in. In addition, different tenants need to use different access tokens.
I am failing to understand the difference and use of Azure Active Directory and Tenant. Subscriptions are services running under a tenant. But I can't understand the relationship between multi-tenant subscriptions or how directories are related to tenants Please help.
A tenant is a dedicated instance of an Azure AD directory that your organization receives when it signs up for a Microsoft cloud service such as Azure or Office 365. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources.