I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.
Related
Consider the following case, for my application:
I have a website
The website sits on top of an azure api and gets data from cosmos DB
The data from cosmos DB is specific for different organizations
Different organizations should be able to have an "admin" appointed by me
The organization "admin" should be able to add his colleagues under the same organization
The users within a particular organization should only be able to view the data specific to their organization
Considering the above use-case, I have thought about using Azure B2C because:
Everything is already inside azure
I don't want to do security myself
However, I am unsure, if it is actually possible to achieve this with azure B2C? I can't seem to find any similar use-cases in the AD documentation. Hence why I start to think, that I'm going in a wrong direction...?
Therefore, can Azure AD B2C offer, what I want to achieve? (do I need a tenant for each Organization)
In case, Azure AD does not offer support for my use-case, what would you then recommend me to do?
As a white-label service, Azure AD B2C cannot be used as a built-in security provider for other Azure services without writing custom code to translate whatever authorization model you maintain in Azure AD B2C into access patterns for CosmosDB or other Azure services.
CosmosDB does have it's own in-built notion of users and permissions which you might map in some way (using custom code) to Azure AD B2C users. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data#users
You could also use CosmosDB's integration with Azure AD (not B2C) for RBAC controls: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
Finally, Azure AD B2C does not provide any out-of-the-box administrative tooling for the kind of delegated user administration model you described. Again this would need to be a custom coded admin UI or you'd need to use a third-party solution such as Saviynt for delegated administration: https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-saviynt
Azure AD B2C newbie here. I have a Single Page Application hosted in Azure & it uses Azure Functions. I want to allow users in many organisations to login to my application using their existing corporate email address, & authenticated in their company's Azure AD, which I have no access to.
For instance I want people in company Contoso to access my Azure SPA by logging in with their existing Contoso email addresses "john.smith#contoso.com". Authentication takes place in Contoso's Azure AD.
Do I use the Azure AD B2C Identity Experience Framework & Custom Policy for this? Any guidance would be helpful.
This isn't the best case for use of Azure AD B2C.
I recommend you use the "multi-tenant" pattern to configure your single-page application to accept sign-ins from any Azure Active Directory tenant
This is a licensing related question for Azure Active Directory.
We would like to use Azure AD as a SAML identity provider for our own applications, using the available method in the Azure AD Premium subscription, i.e. by creating a new custom application in the 'enterprise applications' list. Now do I need to assign a Premium license to every user that is going to login to this application via SAML? Or does it suffice to assign this license to the users that are administering the application?
The former case seems more plausible to me, however it would be way too expensive for us, and during testing the custom applications seems to work also for users which do not have the license.
https://azure.microsoft.com/en-us/pricing/details/active-directory/
I am not a licesing expert, that said, Azure AD licenses are per user. Read the doc above. If the app is pre-integrated in the gallery, Azure AD users with the free tier can connect to 10 apps at no cost. If the app is on-premises, that requires Azure Application Proxy which would require Azure AD Basic.
If it's a custom application not in the gallery AD Premium is required. Keep in mind AD premium has a ton more functionality. Conditional Access is a Game Changer. Very powerful. Multifactor Authentication, self service password reset, MIM, SCCM CALs, are all included.
Being able to simplify identity for users and link All applications they use to their AD account is important. Ems gives you the ability to monitor identity with Advanced Threat Analytics etc. It's actually a very useful suite of services and not drastically different in price than stand alone AD premium.
There is an interesting point on license page too
Blockquote
With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps can get SSO access to up to 10 apps. Admins can configure SSO and change user access to different SaaS apps, but SSO access is only allowed for 10 apps per user at a time. All Office 365 apps are counted as one app.
I am trying to use MFA for on-premise APPS that are secured by AD and ADFS. We are uing MIM to provision accounts automatically to AD. However all accounts will not be synchronized to Azure AD. I have read following article
https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/use-azure-mfa-for-activation
Does it mean you can use Azure AD MFA withing MIM for on-premise Apps which are secured by ADFS? does it go to Azure AD to challenge the user for MFA? what about if the account exist only in AD not Azure AD?
Appreciate all kind of advice.
The article you cited above is only applicable to the use of Azure AD MFA within MIM for the privileged access management scenario, rather than for MFA for use within applications. I would recommend synchronizing accounts to Azure AD, and using conditional access and the application proxy where applicable. See https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion for more info on the options for applications.
Could you please define cloud based authentication services Azure AD B2C and B2B with it's uses and their differences if any. Please provide list of web resources if you can.
The uses of Azure AD B2C (Business to Consumer) and Azure AD B2B (Business to Business) are very different. These differences are highlighted in the documentation.
B2C documentation: https://azure.microsoft.com/en-in/services/active-directory-b2c/
Azure Active Directory B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.
In a nutshell, it allows you to authenticate customers using social identities, like Facebook or Microsoft Account, but still within the context of Azure AD.
B2B documentation: https://azure.microsoft.com/en-in/documentation/articles/active-directory-b2b-collaboration-overview/
Azure AD B2B collaboration lets you enable access to your corporate applications from partner-managed identities. You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources.
In a nutshell, it allows you to authenticate corporate users from other companies.
So one is for consumer-facing applications, and one is for business applications.
https://predica.pl/blog/azure-ad-b2b-b2c-puzzled-out/
Azure AD is an identity as a service provider aimed at organization users to provide and control access to cloud resources
Azure AD B2B is not a separate service but a feature in Azure AD. It allows cross-organization collaboration in applications from an identity standpoint.
Azure AD B2C is an independent service for building a consumer application identity repository. If you need a service to handle email or Facebook login – it is there for you.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/compare-with-b2c
B2B collaboration capabilities
Single sign-on (SSO) to all Azure AD-connected apps is supported. For example, you can provide access to Office 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.
Partner lifecycle: Managed by the host/inviting organization.
Azure AD B2C stand-alone offering
SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Office 365 or to other Microsoft and non-Microsoft SaaS apps is not supported.
Customer lifecycle: Self-serve or managed by the application.