Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Administrative users of our application need to be able to invite additional users to the application.
I've found some articles that point, again, to using custom policies.
Thank you very much!
EDIT #1 -
Looking into using B2C & Microsoft Graph API I came across some decent, and recent, MS Resources:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations
And this important-to-me statement -> Microsoft January 28th, 2021:
"Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."
I'll update my post when I find a solution. Thanks again!
You need to use custom policies.
For first bullet point, see my sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
You could do either option. For option 1, AAD B2C can call your api which can call graph api to fetch groups. Then embed the info into the token. For option 2, you could write a role value to an extension attribute and return it in the token.
To invite users, you could use the invite sample. Essentially make an app that calls an API to generate these invite links and send those to the users email. The user clicks the link which allows them to complete their sign up.
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
Related
We have a scenario where in mobile app(Xamarin Forms IOS APP) logs into the Azure ADB2C and generate a JWT token if the user is a valid user(user is configured in Azure AD B2C). We have a requirement where in, we need to generate a token based on the role i.e. based on the role with which user logs in, we want to generate a token and that token we are trying to use it in subsequent Web API calls.
Articles which we found out on this particular scenario was having web application as a client where in some mechanism of secrets were explained. In the mobile app client scenario, its not possible to have a secrets.
Followed the below mentioned article, but couldn't get any concrete information also
https://codemilltech.com/adding-authentication-and-authorization-with-azure-ad-b2c/
Any pointers on this particular scenario would be very much helpful to us.
Thanks!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" by this method you can add the groups to JTW token and also prevent users from sign-in if they aren't members of one of predefined security groups.
I want to get user information, not only from Azure Active Directory, but also from Azure B2C Tenant Users. I was able to reproduce results for AAD users, but I couldn't find enough resource as for how to access to B2C Users (e.g. Gmail.com). I get this error when I swap to my desired clientid/clientsecret (fetched from Azure AD B2C - Application) in this project (https://github.com/microsoftgraph/aspnetcore-connect-sample):
'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.
I couldn't find the recent resources helpful, as a lot of Azure component changed. I would greatly appreciate your kind guidance!
If I understand your question correctly, you want to be able to programatically CRUD B2C Users.
AADB2C has a documentation for same using AADGraph (and not using Microsoft Graph)
Build user CRUD operations by using the Graph API
As of today,you must use the Azure AD Graph API to manage users in an Azure AD B2C directory. This is different from the Microsoft Graph API. The sample you referred to is not appropriate for managing B2C tenant users.
I created a B2C AD in my developer account on Azure.
In this environment I have users created in my personal AD, and users in AD B2C (where the user can log in with: twitter and facebook).
I found an ASP.NET project that logs in to these two ADs, but with two types of logins, one for normal AD and one for AD B2C. And from what I've researched, the only way to log in to these two different ADs is this way.
Does anyone know of a way to make a single login in these two ADs?
You could do it now with custom Azure AD B2C policies. It is however quite an advanced scenario.
Using them you could put all authentication behind B2C. User could choose to sign in against your Azure AD or through Twitter or Facebook on the B2C sign-in page instead of your application.
Custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Documentation on using Azure AD as a provider in B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
GitHub repo with examples: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies
Thanks for the quick response.
I tried to do this but could not find the settings needed to put Twitter, Google and Microsoft. For Facebook and other AD worked.
I found a post, that Microsoft will soon make available an "Identity Provider" to validate the user in another AD.
For now, I'll put two Sign-in in my application, one for the company's AD and another for the B2C AD.
I am now looking for a way to get the user's profile in AD (Name, First Name, Last Name, Job Title, Departament, ....).
Once this is done, I'm going to make a DEMO and publish it to github, I think this will help a lot of people.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info
I am creating a web api application that will be secured using Oauth for authentication. Can I set up the authentication to be a blend of individual accounts and organizational accounts?
Scenario: One set of users belongs to an organization that uses Office 365. Another set of users may not. The ultimate goal is to allow all the users to login, but in the case of the organizational users, I will also want to allow them to integrate with the Office365 apis that are tied to their organization.
Is there a solution design that would allow me to choose where to authenticate the user - either using the application's Azure AD or the subscribing organization's AD?
For just authenticating MSAs and AAD orgs, you can use the new Microsoft Graph (http://graph.microsoft.io) - it is the unified endpoint for all Microsoft identities and for requesting access to things like mail, calendar, etc. It uses the v2 AAD endpoint (mentioned below) and app registrations are universal, so you can sign in with org or personal accounts.
You can extend that with Azure B2C as the owning directory.
Add Microsoft Account as an identity provider, and
use the v2 endpoint
at which point users could sign in with a consumer account (Facebook, Microsoft, google, whatever). By extension, since, for MSAs it uses the new v2 endpoint you can prompt users to sign in with an MSA or an org cccount - users get a prompt like this below. Note 'work or school, or personal microsoft account.'
v2 has some limitations, however: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare so make sure you can do everything you want before diving in. Some of the reply URL and on-behalf-of flows (like you'd see in APIs) have some domain/audience restrictions.