I am wondering if it is possible to let's say connect the Azure AD with the Azure B2C, in order that the Azure AD users are able to login in my custom policy. I already implemented one, including MFA.
I was reading this article, but I am not sure if it is the right way. If so, I see I have to specify the client-id. What if I have more than one application using this policy, do I have to create a policy for each one?
The linked approach is correct. You specify a clientId which represents AADB2C user-flow/custom-policy as an “Application” to the AAD IdP. So this relationship can be used per AAD B2C user-flow/custom-policy or shared across all your custom policies and user flows.
It can be useful to have separate registrations at AAD so that you could target them individually for conditional access.
Related
I have an Azure AD B2C tenant and with that i have implemented sign-in/sign-up flow in multiple applications and all are hosted.
In those applications some premium applications are restricted which means who bought some membership from our portal can only access it but the problem is whoever registered with our other applications (via AD B2C) can able to access the premium applications too.
The B2C tenant allows all users to access all applications. How to restrict some users who not having our membership from accessing premium applications?
Note:
In Azure AD, Enterprise Application option used for Role Based Authorization but i dont see equivalent option in AD B2C.
With built-in user flows you'd probably have to do the check in the app itself. With custom policies, you could implement a validation technical profile to the login flow. But going to custom policies just for that isn't worth it in my opinion.
As juaans mentioned, there is no direct way in built-in user flows. But there is a way which can make it easier. If the membership is stored as a custom attribute, the apps get the membership in a claim in the token. Once you have it in the token, its a very simple check in the authorization layer of the app. I am assuming app will be implementing some authorization for sure.
Is It possible to create a multi step sign up custom policy in azure ad b2c ?
I mean I need to capture personal details and verify them against my database if valid? Then second page to create a username and password and store them in azure active directory.
Since I already have a design implemented for these pages I don't want to change this by using ad b2c.
Please help.
Yes, this is possible, see the Wingtip sample for Azure AD B2C custom policies which contains a sign-up or sign-in policy that includes multiple orchestration steps.
You will have to validate the personal details via a REST API.
I am using B2C custom policies, to get a third party token and then creating an Azure AD B2C token with that, which contains the claims of the third party. I am using ClaimsEndpoint in the Technical Profile in the policy.
The problem I am facing is, that I need multiple claims, and I can't obtain all of them using a single value of 'ClaimsEndpoint', and I need to specify multiple of those in my policy.
I couldn't find any relevant way to do so. Is there any way of doing that, using Azure AD B2C ?
I am trying to cater for a broad set of auth and identity management requirements, homogenizing this area of functionality across different legacy applications, and looking into Azure AD B2C as an option.
It seems as though there may be a need for maintaining contact information on a group. For example, we may need to group users according to their 'reseller,' and we may wish to have additional info about the reseller within Azure AD B2C.
Is this possible in AD B2C?
It is possible to add custom attributes to a group in Azure AD B2C using the same mechanism that's available in regular Azure AD via the Azure AD Graph: Directory schema extensions.
Note that while you can use groups in Azure AD B2C, sending group claims in the token isn't yet supported, so you'll need to make a separate call to the Azure AD Graph to obtain a user's group membership and details about the group. You can always vote for this ask in the Azure AD B2C feedback forum: Get user membership groups in the claims with AD B2C
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info