Just registered the first app in Azure B2C and a first User Flow.
To check the flow I clicked "Run user flow" but all fields and drop downs in the popup are empty.
Shouldn't there be at least the one app registered in the drop down ?
When registering the application using Azure AD B2C > App Registrations > +New Registration, you need to select the option Accounts in any identity provider or organizational directory (for authenticating users with user flows) under Supported account types section as highlighted below:
If you select one of the other two options during app registration, the application will not be listed in the drop down when you click on "Run user flow".
Related
Currently using Azure AD B2C as our authentication provider and we have a requirement to access logs of all user login activity for our custom application.
If I navigate to the B2C portal, Users>Sign-in logs I only see sign ins for Application of type "Azure Portal"?
Is there anything that needs to be enabled for a custom app registered in the "App registrations" section to see this activity?
You can't see user sign-ins for individual Azure AD B2C applications under the Users section of the Azure Active Directory or Azure AD B2C pages in the Azure portal. The sign-in events there show user activity.
For Workound You can check the users login to your custome app using filter the Application Name.
AZureADB2C->User->SigninLogs
Like I have shown in below Picture.
How does one assign a specific user flow to an application in AzureAD B2C? I am able to create one but I can't figure out how to assign it to a specific registered application
User Flows in Azure AD B2C can be executed against any Application Registration that is registered as a B2C application registration. You can see all the App Registrations that are available to execute your User Flow against the list of Apps in the 'Run Now' menu.
I followed these steps in an attempt to create an Azure App that allows login from multiple Azure AD Tenants:
Create a new App Service and turn on Authentication
1) In Azure Portal: I created a brand-new empty Azure App Service and dialed its URL up in my browser to be sure it was working properly.
2) I navigated to my new App Service, then the "Authentication / Authorization" blade.
3) I turned On the "App Service Authentication" switch.
4) I chose "Log in with Azure Active Directory" from the "Action to take when request is not authenticated" dropdown.
5) Under "Authentication Providers" on the same blade, I clicked on "Azure Active Directory", which navigated me down to the "Azure Active Directory Settings" blade.
6) Within this blade, I selected "Express" on the "Management Mode" radio button. Selection of Active Directory was grayed-out but it was the one I wanted to use -- the current one.
Create a new Azure AD App that's associated with my App Service
7) I clicked on "Azure AD App" and it prompted me to create an Azure AD App, which by default had the same name as my App Service name, so I kept it.
8) Still on the "Azure Active Directory Settings" blade, I clicked the "Manage Application" button under the "Manage Azure Active Directory Application" heading. I was navigated one more blade down, where the heading was the name of the Azure AD App I just created.
9) Once here, I clicked the "Settings" button, then "Properties" in the Settings blade.
10) Within "Properties" I set the "Multi-Tenanted" radio button to "Yes".
11) Also within "Properties": as is said to be required for multi-tenant to work: I also changed the "App ID URI" to something unique, and also from a Verified URL within my organization. In my case I used:
https://<<MyTenantName>.onmicrosoft.com/login-ProofOfConcept
Test the Security Functionality
12) With everything presumably set up, I first tried logging-in to my new application with a user that existed within my current B2C Tenant. I dialed the URL up for my App Service, I got prompted by microsoftonline to Authenticate, I authenticated, and then I got straight into my application with no problem.
Here's The Problem
13) Then, I logged-out and tried to login again -- but this time as a user that's in another Azure AD, which is just one I spun-up under my personal gmail account. I was expecting it to "just work" but after I authenticated as this other user, this error was displayed onscreen:
AADSTS50020: User account 'MyUserName#gmail.com' from identity provider 'live.com' does not exist in tenant '[MyTenantName]' and cannot access the application '[MyApplicationGUID]'([AzureADApplicationName]) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This is precisely the behavior I was hoping to avoid by enabling Multi-Tenant. I was hoping that it would just "login" this user, who is the member of an existing Azure AD. Is there a configuration-step I missed?
I think you're maybe looking at Azure AD B2B here, whereby you need to invite the non Azure AD user first: see this learn.microsoft.com reference.
Assuming you have the default settings, which is allow all users to invite non Azure AD users to access in this instance an app, invite your second user #hotmail and then try and logon, see this learn.microsoft.com reference.
If you want anyone from #hotmail to be able to log into your app, consider using Azure AD B2C, see this learn.microsoft.com for more details.
when an app is registered in azure ad, to give permission to the app, we can grant consent to an application's delegated permissions on behalf of all the users in your tenant by clinking "Grant Permissions" button. How to undo this permission once it is given? Or, it can't be undo from azure portal once it is clicked? I am confused as it is always of same color and always ask "Do you want to grant...." dialog and "No" doesn't undo the action.
Revoking Tenant Wide Consent can be done through the Azure Portal.
See here: Revoking Consent for Azure Active Directory Applications
Using the Azure Portal to Remove Tenant Wide Consent
If you are a tenant administrator, and you want to revoke consent for
an application across your entire tenant, you can go to the Azure
Portal. Whether it be for a bunch of users who individually consented
or for an admin who consented on behalf of all the users, by simply
deleting the application’s service principal, you will remove all
delegation entries (the object used to store consent) for that
application. Think about removing the service principal like
uninstalling the application from your tenant.
You could delete the service principal a bunch of different ways like
through Azure Active Directory PowerShell or through the Microsoft
Graph API, but the easiest way for the average administrator is right
through the Azure Portal.
Navigate to the Enterprise Applications blade in the Azure portal:
Then click “All Applications” and search for the application you want
to revoke consent for:
When you click the application, you will be brought to an “Overview”
section, where a tempting button called “Delete” will be at the top.
Before you click this button, you might want to take a peak at the
“Permissions” section to see the types of consent that was granted to
this application:
Once you feel confident that you want to delete this application, go
back to “Overview” and click “Delete”!
Viola! The app and all consent associated with that app is now gone.
There are some screenshots included in the actual blog post.
I hope this helps!
As #Shwan Tabrizi said, you can refer to the blog's way to remove the app from Enterprise Application.Because once you click Grant Permissions bottom, the app will be auto added into Enterprise applications and assign permissions to user. You can also choose which user to remove permission as following steps:
1.Sign in to the Azure portal with an account that's a global admin for the directory.
2.Select More services, enter Azure Active Directory in the text box, and then select Enter.
3.On the Azure Active Directory - directoryname blade (that is, the Azure AD blade for the directory you are managing), select Enterprise
applications.
4.On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5.On the Enterprise applications - All applications blade, select an app.
6.On the appname blade (that is, the blade with the name of the selected app in the title), select Users & Groups.
7.On the appname - User & Group Assignment blade, select one of more users or groups and then select the Remove command. Confirm your
decision at the prompt.
I have two Office 365 tenants one for Production and one for Testing.
I can see in manage.windowsazure.com my two Active Directories.
I noticed the following behavior when creating multi tenant user consent application.
When a multi tenant Azure AD application is registered in Azure AD 'X' then, this app is not available in the "My Apps Launcher" for Office 365 users in tenant 'X'. On the other hand, the app is accessible in launcher (after pinning it from 'View all my apps') for all users and tenants except 'X'.
Is that an expected behavior?
I think only apps that the user is assigned to show up in the Office portal.
If you create the app in your tenant, admin consent is applied automatically in your tenant, meaning that all users automatically get consented to it but none of them get assigned.
On the other hand, what you've been testing with users from another tenant is user consent, which consents just that user to the app, and also assigns them to it.
If that other tenant went through admin consent (by adding prompt=admin_consent to the login.microsoftonline.com), you'd see the same behavior as your tenant where everyone gets consented but no one assigned, and therefore no one would (by default) see it in the Office portal.
To have it show up in the case of admin_consent (whether it's in your tenant or some other one) you need to:
Go to the classic Azure portal and navigate Azure AD and your app.
Once in your app's Azure AD page, select Users & Groups
Select "All Users" from the Show filer and click on the check mark.
Select a user and click on the bottom at the bottom that says "Assign"
Doing that should make your app show up for that user in the Office Portal.