I have a Web API that is registered in an Azure AD B2C directory, secured by tokens from that same directory. To do that I have created an Application and created a scope.
I have a 3rd party that would also like to use this AD for their audience, who will access some of my API on behalf of the guest.
I wanted to create a new scope for this purpose and have the AD prompt the guest to allow the application to access their data on their behalf.
For some reason, when I create a scope I am only given the option of "Admin Consent". The "User Consent" fields that are shown in so many blog posts and instructions are not showing for me.
I have tried to register the 3rd Party Applications and API Applications in both the B2C blades and the AAD blades of the Azure Portal but the result is always the same.
Is there a Property or setting somewhere that needs to be ticked in order to enable User Authorized scopes?
There’s no such thing as OAuth2.0 consent in AAD B2C, only Admin consent is offered, as it’s aimed for your first party apps.
The user consent screens you’re seeing online are in regards to Azure AD, not AAD B2C.
For service partner integration, you can follow this example to create such a consent. https://github.com/azure-ad-b2c/samples/blob/master/policies/service-consent
Related
Per the docs, there is no 'out of the box' way to enable Azure AD B2C users to interact with the M365 environment associated with the Azure AD tenant that was used to create the Azure AD B2C tenant.
Azure AD B2C can't be used to authenticate users for Microsoft 365.
Source:
Can I use Azure AD B2C to provide social login (Facebook and Google+) into Microsoft 365?
But I still need to be able to provide this functionality, i.e GET and POST requests to M365 via the Graph API.
To be clear, this is what I have achieved so far:
Azure AD B2C users can login
Azure AD users can login and interact with their own M365 environment via Graph API
(to enable this, I added the Azure AD tenant as an identity provider, per this article)
What I have not yet been able to figure out is:
How can the Azure AD B2C users interact with the M365 environment associated with the Azure AD tenant?
(that created the Azure AD B2C tenant)
To illustrate a use case for this requirement:
Company_A wants to enable external contractors to be able to submit compliance documents to them
They set up Azure AD B2C and create accounts for their external contractors
They set up a Node.js/Express web app on Azure
External contractors can now login to a web app and view forms designed to submit data and attachments
How can those forms send data and attachments to a Document Library in Company_A's M365 environment?
I have been pondering this issue for a while and can't conceptualise a mental or technical model of how this can be achieved.
Google searching related phrases doesn't produce any relevant content.
I am hoping someone will have the knowledge and experience to be able to say:
You will need to follow THIS paradigm which is documented HERE and involves doing THIS
Edit:
I am reading articles like these:
Get access without a user
which talks about scenarios where:
apps that have a signed-in user present may also need to call Microsoft Graph under their own identity
and contemplating adding Application Permissions (as opposed to Delegated Permissions) to my Azure AD B2C application registration.
Just to test the idea, I have added Sites.ReadWrite.All as an Application Permission and granted Admin Consent for that permission. How would I define this scope (Sites.ReadWrite.All) to be associated with the 'home' Azure AD tenant (as opposed to the Azure AD B2C tenant)? I am using msal-node which has a method named getAuthCodeURL() where you pass through the scopes required. I am assuming if I just added Sites.ReadWrite.All it would default to being applied to the Azure AD B2C tenant, rather than the desired Azure AD tenant?
M365 doesn’t exist in an Azure AD B2C tenant, you cannot apply a license for Office there. This simply isn’t possible.
For Graph API, you cannot use B2C issued tokens to call it. You must use underlying AAD Tokens to access it. Your server would need to perform Azure AD client credentials flow against the Azure AD endpoint of your AAD B2C tenant and ask for a token to Graph API. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Microsoft service scopes only apply to the underlying Azure AD endpoints of your AAD B2C tenant. They won’t mean anything at the AAD B2C login endpoints. Hence, the differentiation is made by the endpoint used.
An Azure AD B2C tenant has both endpoints:
AAD: login.microsoftonline.com/tenantId
B2C: b2clogin.com/tenantId
Since M365 env does not exist for B2C tenants, the MS Graph API is only useful to R/W user data. But, for this, you could just use the B2C user flows to R/W user profile data, and return user profile data into the B2C token, so you don’t have go call MS Graph API. This is actually the intended usage pattern.
I am trying to setup Azure AD integration with our partner identities. I have few providers that I need to support and they support SAML and WS-Fed. I am trying to use Azure AD External Identities to add these providers to my Azure AD tenant.
However, reading through this article, it seems like SAML integrations are invitation based.
I want users to be able to login without an invitation. How can I do this with Azure AD?
Here are my needs:
After adding the external idp, users should be able to login using their own credentails via their idp. No additional information needed to use an app.
I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Choose what idp's are allowed per app? (if possible)
Thanks in advance.
Question 1: After adding the external idp, users should be able to login using their own credentials via their idp. No additional information needed to use an app.
Answer:
We can implement Guest users redemption using direct link or a common endpoint instead of email invitation. A guest user clicks the app link, reviews and accepts the privacy terms, and then seamlessly accesses the app.
Using Common endpoint : Guest users can now sign in to your multi-tenant or Microsoft first-party apps through a common endpoint (URL), for example https://myapps.microsoft.com. Previously, a common URL would redirect a guest user to their home tenant instead of your resource tenant for authentication, so a tenant-specific link was required (for example https://myapps.microsoft.com/?tenantid=). Now the guest user can go to the application's common URL, choose Sign-in options, and then select Sign in to an organization. The user then types the name of your organization.
Using Direct Link: As an alternative to the invitation email or an application's common URL, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the Azure Portal or Powershell Then you can use any of the customizable ways to deploy applications to users, including direct sign-on links. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.
Reference:
Add B2B guests without an invitation link or email - Azure AD
Invitation redemption in B2B collaboration - Azure AD
Question 2 : I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Answer: Add the Users as Guest to Azure active Directory but by default they will be sent an invitation even if they don’t open it you can assign an app in your enterprise application for them to use .
Most federated applications that support SAML 2.0, WS-Federation, or OpenID connect also support the ability for users to start at the application, and then get signed in through Azure AD either by automatic redirection or by clicking on a link to sign in. This is known as service provider-initiated sign-on, and most federated applications in the Azure AD application gallery
Reference:
End-user experiences for applications - Azure Active Directory
Quickstart: Add guest users in the Azure portal - Azure AD
To Provide the Guest user access to azure resources you can manually add a role to the users.
Question 3: Choose what idp's are allowed per app?
Answer: Create different user flows and add desired IDPs to the user flows and then assign applications registered in Azure AD to the user flows depending on which IDPs are needed for given application.
Reference:
Add a self-service sign-up user flow - Azure AD
Question 4: I added Okta as an External Identity using SAML in my Azure AD. Created an "App Registration" as multi-tenant. But I am getting this error.
AADSTS50020: User account 'xxx' from identity provider 'http://www.okta.com/xxxxx' does not exist in tenant '' and cannot access the application '0000000c-0000-0000-c000-000000000000'(Microsoft App Access Panel) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Solution: Please Ensure User is added to one of the Partner Admin Groups i.e. AdminAgents in the Partner tenant.
Reference:
Manage Auth access for cloud solution providers.
Question 5: Steps for setting self service signup for an application.
Test Scenario in my Lab
Azure AD with an application registered in application registrations blade.
Another AD tenant with users.
Step 1: In the above external identities collaboration settings please make sure to have enable guest user self service enabled.
If it is not enabled then you can’t create a self service flow and you will get the below error when a user from other tenant is trying to access the app.
Step 2: Create a user flow by going to the user flow blade and creating a new flow.
Step 3: After you have created the user flow , click on the User flow and go to application blade and click add application.
Now search for the application you want to provide the self service signup to and click on select and you will have now enable the self service sign up for users when they try to access your application.
Output:
Once the above settings are done you can access the url to your app. Provide the user of the different ad tenant and you will get output as below .Click on create a new one .
Once the user from other AD tenant have accepted it they are successfully registered as guest users in your tenant.
If they accept the above then they will be able to access the app from now as a guest.
I have an ASP.Net core web application and integrated authentication using the Azure AD B2C Tenant/Application. I'm able to authenticate and get the user claims in my web application.
But what I additionally want is to allow only certain customer users access the web application. I want to do this at the B2C Tenant itself. Right now any B2C customer user can sign in. Any help, ideas, insight will be appreciated.
You may know there is an Manage user assignment for an app feature in Azure Active Directory. But it's not available in Azure B2C.
Currently the recommended way to control the access in Azure B2C is defining custom attributes and check the claims in token.
If the expected claim is included, you allow the user to continue.
Log into Azure B2C
Click Users
Select a user
Click Applications
I created users in my B2C tenant by logging into my website using various OAuth identity providers. So for any user selected using the above steps I expect to see at least one application listed - that being the one the user signed into when their user record was created in Azure.
When I perform the above steps I only see applications listed under my own user name. I created all the users I see in my tenant so I know there should be apps listed with each user name.
More formally stated my questions are:
Given an Azure AD Application, how do I get a list of users that are authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user is authorized to log into?
I would like to accomplish the above tasks using Azure portal - I don't want to write script. Also, my purpose in asking these questions is to be able to delete or disable users as needed.
Azure AD B2C does not hold a mapping of Users who signed into an App to a specific Application Registration. By default, all users are authorized to sign into your apps if you have OAuth IdPs configured against the AAD B2C policy that allows authentication to your App.
You can use the AAD B2C Sign In logs to see which users have been logging into what applications.
Assigning or not assigning Users to Apps in the Azure Portal does not enforce any authorization, this is an Azure AD only concept and doesnt apply to Azure AD B2C.
The process you followed(Users->select user->application) will only be able to see the applications listed under your tenant.
In the same manner when you choose an application and select the users/Groups you will only be able to see the users who have accessed your application.
Based on application/user->application you can remove the access from that application.
Regarding the
Given an Azure AD Application, how do I get a list of users that are
authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user
is authorized to log into?
The list of users/application authorized details are completely depend on the application consent flow.
Application developers can dictate what types of permissions are being requested and if they want to guide users through the user consent flow or the admin consent flow. If the application is provided with user consent flow based on the consent acceptance any user can access that particular application.
Admin consent flow is when an application developer directs users to the admin consent endpoint with the intent to record consent for the entire tenant. Application access grant to the requested data on behalf of the entire tenant.
For more details on the consent and permission please go through the document
Let's say there is a web application in some other Azure AD directory configured for multi-tenant access.
When I try to use it, after authenticating it will present a consent page asking if app can access by profile data etc. After I accept, application spn's get provisioned in my Azure AD directory.
My question is, can this consent flow be completed/accepted using graph api's programatically instead without needing interactive process?
As far as I know, there is no such API we can grant the consent for the permission. However it is able to grant the consent for the all organization using the parameter prompt=admint_consent.
Refer here about more detail about this paramter.