I have an existing login page. Can I integrate Azure B2C into it instead of using the login screens provided by and hosted by Azure AD B2C?
A similar question was asked 4 years ago but the answer is most likely out of date: Can I use my own UI to authenticate users with Azure AD B2C?
You could have a look at the embedded sign up / sign-in option.
"For a simpler sign-up or sign-in experience, you can avoid redirecting users to a separate sign-up or sign-in page, or generating a pop-up window. By using the inline frame HTML element, you can embed the Azure AD B2C sign-in user interface directly into your web application."
If you are really determined to use the form of your own which has nothing to do with AAD B2C then the only solution you're left with is a Resource Owner Password Credentials grant where you explicitely send username/email and password over to AAD B2C and get a token in return.
Here's docs ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
Be aware though that this flow is not suitable for modern applications for security reasons and in principle should rather be used only for legacy solutions.
Related
I have a 2 application using a single AD B2C tenant. I want to logout the user from both websites when the user signs out to either one of them. I'm using email for local accounts.
In AAD, there is a LogoutUrl registered on each application which receives a GET request to users currently signed in to. Source
I wonder if there is workaround for AD B2C like in AAD.
PS: I am using this repo as reference.
Azure AD B2C doesn't support Single Log Out and we weren't able to find a workaround.
I've understood that in B2C scenarios Microsoft has assumed that IdPs are "social-media" type and considered it is not of end-users interest to be logged out of Facebook when they log out of some service to which they've authenticated via Twitter. Makes sense in that scenario.
However, in government-provided IdP scenarios it is usually a hard requirement to be able to support SLO.
We considered it to be more of a limitation by-design in B2C than technical, so we moved to using another authentication service provider that supports SLO. Apparently a wise choice as I haven't at least heard anything regarding SLO and Azure B2C as of today.
According to the documentation that is possible:
When you redirect the user to the Azure AD B2C sign-out endpoint (for
both OAuth2 and SAML protocols), Azure AD B2C clears the user's
session from the browser. However, the user might still be signed in
to other applications that use Azure AD B2C for authentication. To
enable those applications to sign the user out simultaneously, Azure
AD B2C sends an HTTP GET request to the registered LogoutUrl of all
the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that
identifies the user and returning a 200 response. If you want to
support single sign-out in your application, you must implement a
LogoutUrl in your application's code.
The suggested answer was from 3 years ago.
Please have a read here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Apparently, B2C does support single sign out, but I could not get it to work despite following the steps and I'm looking for answers on SO.
I searched in google for how to add CAPTCHA in b2c signup policy. but not getting any article so for. Is there a way to add CAPTCHA inside sign-up and sign-in process of Azure B2C? or any workaround
Currently, because Azure AD B2C doesn't allow custom or third-party JavaScript, which is required for CAPTCHA, then this isn't possible.
It will be possible when Azure AD B2C does support Javascript.
The current alternative is to verify the email address for a new user during sign-up.
I am using Azure AD B2C as the authentication solution for a Dynamics CRM Portal application. So far, B2C allows customization of the sign-up experience, which i have done to customize the look and feel of the signup/signin page but I don't see any option to incorporate a CAPTCHA.
Is there any way of detecting and blocking robots during AD B2C Sign Up process ?
Other than reCAPTCHA, is there any other bot protection mechanism that can be used on the B2C Sign Up page ?
The email verification that, by default, is required during the sign-up process is meant to prevent bots from creating fake users.
As Javascript is not yet available using CAPTCHA would not be possible. Also the standard fallback for these services "iFrames" would also be stripped by the B2C UI. However it does use the standard AAD account lockout password policy
"After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time"
I created a B2C AD in my developer account on Azure.
In this environment I have users created in my personal AD, and users in AD B2C (where the user can log in with: twitter and facebook).
I found an ASP.NET project that logs in to these two ADs, but with two types of logins, one for normal AD and one for AD B2C. And from what I've researched, the only way to log in to these two different ADs is this way.
Does anyone know of a way to make a single login in these two ADs?
You could do it now with custom Azure AD B2C policies. It is however quite an advanced scenario.
Using them you could put all authentication behind B2C. User could choose to sign in against your Azure AD or through Twitter or Facebook on the B2C sign-in page instead of your application.
Custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Documentation on using Azure AD as a provider in B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
GitHub repo with examples: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies
Thanks for the quick response.
I tried to do this but could not find the settings needed to put Twitter, Google and Microsoft. For Facebook and other AD worked.
I found a post, that Microsoft will soon make available an "Identity Provider" to validate the user in another AD.
For now, I'll put two Sign-in in my application, one for the company's AD and another for the B2C AD.
I am now looking for a way to get the user's profile in AD (Name, First Name, Last Name, Job Title, Departament, ....).
Once this is done, I'm going to make a DEMO and publish it to github, I think this will help a lot of people.
I would like to have the administrator of my app create users in Azure AD B2C and then have Azure AD B2C send a passwordless link to the user via email or pass me the link so that I can send it via email. Is this possible via the existing service or API?
This article helps explain the concept using Auth0:
https://auth0.com/docs/connections/passwordless/regular-web-app-email-link
I asked Swaroop Krishnamurthy (#swaroop_kmurthy) this same question via Twitter and received this response from him on 9/8/2016, "#keithdholloway this is on our roadmap but a bit further out than the near term."
No.
There is no support for this, developer must use AD B2C Policy for Authentication, always via a WebView.
I went to a meetup yesterday about Azure AD B2C Custom Policies. I asked the speaker if he knew if they could handle passwordless login, like entering your email address on an MFD then getting a popup on your mobile app to approve/deny but he wasn't sure. Later on he sent me Azure Active Directory B2C: Custom CIAM User Journeys - Multi factor authentication enhancements. From this it looks like Azure AD B2C: TOTP multi-factor authentication may have some useful examples.