Restricting User Access Azure B2C - azure

According to this documentation, I can restrict access to applications on an Azure tenant using enterprise applications.
I tried to set this up on my B2C Tenant but when I test my user flows, I can still log in to those applications and receive an ID token.
Should the restrictions also work on the B2C Tenant or is there a different process required for B2C?

Using b2c User flows we can't restrict the user access. You need to handle this from the application side and also using Custom policy you can call the REST API in the user journey and can validate user restrictions.

Related

How to expose User authorized API scope in Azure AD B2C Application

I have a Web API that is registered in an Azure AD B2C directory, secured by tokens from that same directory. To do that I have created an Application and created a scope.
I have a 3rd party that would also like to use this AD for their audience, who will access some of my API on behalf of the guest.
I wanted to create a new scope for this purpose and have the AD prompt the guest to allow the application to access their data on their behalf.
For some reason, when I create a scope I am only given the option of "Admin Consent". The "User Consent" fields that are shown in so many blog posts and instructions are not showing for me.
I have tried to register the 3rd Party Applications and API Applications in both the B2C blades and the AAD blades of the Azure Portal but the result is always the same.
Is there a Property or setting somewhere that needs to be ticked in order to enable User Authorized scopes?
There’s no such thing as OAuth2.0 consent in AAD B2C, only Admin consent is offered, as it’s aimed for your first party apps.
The user consent screens you’re seeing online are in regards to Azure AD, not AAD B2C.
For service partner integration, you can follow this example to create such a consent. https://github.com/azure-ad-b2c/samples/blob/master/policies/service-consent

Azure AD B2C Authentication - Restrict to only certain customer users

I have an ASP.Net core web application and integrated authentication using the Azure AD B2C Tenant/Application. I'm able to authenticate and get the user claims in my web application.
But what I additionally want is to allow only certain customer users access the web application. I want to do this at the B2C Tenant itself. Right now any B2C customer user can sign in. Any help, ideas, insight will be appreciated.
You may know there is an Manage user assignment for an app feature in Azure Active Directory. But it's not available in Azure B2C.
Currently the recommended way to control the access in Azure B2C is defining custom attributes and check the claims in token.
If the expected claim is included, you allow the user to continue.

User account does not show application assignments

Log into Azure B2C
Click Users
Select a user
Click Applications
I created users in my B2C tenant by logging into my website using various OAuth identity providers. So for any user selected using the above steps I expect to see at least one application listed - that being the one the user signed into when their user record was created in Azure.
When I perform the above steps I only see applications listed under my own user name. I created all the users I see in my tenant so I know there should be apps listed with each user name.
More formally stated my questions are:
Given an Azure AD Application, how do I get a list of users that are authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user is authorized to log into?
I would like to accomplish the above tasks using Azure portal - I don't want to write script. Also, my purpose in asking these questions is to be able to delete or disable users as needed.
Azure AD B2C does not hold a mapping of Users who signed into an App to a specific Application Registration. By default, all users are authorized to sign into your apps if you have OAuth IdPs configured against the AAD B2C policy that allows authentication to your App.
You can use the AAD B2C Sign In logs to see which users have been logging into what applications.
Assigning or not assigning Users to Apps in the Azure Portal does not enforce any authorization, this is an Azure AD only concept and doesnt apply to Azure AD B2C.
The process you followed(Users->select user->application) will only be able to see the applications listed under your tenant.
In the same manner when you choose an application and select the users/Groups you will only be able to see the users who have accessed your application.
Based on application/user->application you can remove the access from that application.
Regarding the
Given an Azure AD Application, how do I get a list of users that are
authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user
is authorized to log into?
The list of users/application authorized details are completely depend on the application consent flow.
Application developers can dictate what types of permissions are being requested and if they want to guide users through the user consent flow or the admin consent flow. If the application is provided with user consent flow based on the consent acceptance any user can access that particular application.
Admin consent flow is when an application developer directs users to the admin consent endpoint with the intent to record consent for the entire tenant. Application access grant to the requested data on behalf of the entire tenant.
For more details on the consent and permission please go through the document

How to implement membership based access in Azure AD B2C?

I have an Azure AD B2C tenant and with that i have implemented sign-in/sign-up flow in multiple applications and all are hosted.
In those applications some premium applications are restricted which means who bought some membership from our portal can only access it but the problem is whoever registered with our other applications (via AD B2C) can able to access the premium applications too.
The B2C tenant allows all users to access all applications. How to restrict some users who not having our membership from accessing premium applications?
Note:
In Azure AD, Enterprise Application option used for Role Based Authorization but i dont see equivalent option in AD B2C.
With built-in user flows you'd probably have to do the check in the app itself. With custom policies, you could implement a validation technical profile to the login flow. But going to custom policies just for that isn't worth it in my opinion.
As juaans mentioned, there is no direct way in built-in user flows. But there is a way which can make it easier. If the membership is stored as a custom attribute, the apps get the membership in a claim in the token. Once you have it in the token, its a very simple check in the authorization layer of the app. I am assuming app will be implementing some authorization for sure.

how to federate between Azure B2B and B2C

We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info

Resources