we have currently the challenge to block access to our whole b2c services for several countries.
I tried to setup a conditional access rule to block specific countries, but it does not applied on normal application sign ins.
This will block my admin account to login to azure portal, but not the users to sign in to saml or openid connected applications.
What would be the correct way to implement it? In Custom Policies with Transformations?
Related
We plan to use Azure AD for our workforce users. We also have few applications for our customers. The sales team usually reaches out to a specific team who creates customer accounts to our current environment.
Few questions:
a. Is Azure AD B2C right to use for the customer applications? What I mean is should we use B2C only when the application is like a shopping application or something where we talk about huge number of users who self-registers and perform all activities.
b. We do not need self-registration, but we want our customers to verify and confirm their email address. How do we achieve that?
c. Does Azure AD B2C support accepting terms and conditions at the time of login? I know Azure AD conditional access policy does.
d. If an on-prem application supports OAuth 2.0, is there anything still need to be updated in the app to integrate with Azure AD B2C? Is the integration approach any different than Azure AD?
e. Can we have more than one application in one Azure AD B2C tenant? Can we have separate sign-up or sign-in flow for individual applications?
f. Is there a way to sync password from Azure AD B2C to a LDAP server? we want to use Azure AD B2C SSPR.
a) B2C is designed for any non-corporate application i.e. users are not domain-joined. The number of users doesn't matter.
For what follows, you need to use custom policies.
b) Yes, you can have a sign-up flow that simply asks for email and verifies it.
c) Yes, see here. There are a number of samples there. Well worth looking at.
d) It depends on what OAuth stack the on-premises app. uses. Ideally, the app. would use the MSAL stack. It's similar to Azure AD but there is an extra parameter for the policy.
e) Yes and yes.
f) Yes, you can call a REST API that talks to the LDAP server. However, the out of the box B2C SSPR resets the password in B2C. Not sure why you need LDAP? B2C does not support AAD Connect.
I am wondering if it is possible to let's say connect the Azure AD with the Azure B2C, in order that the Azure AD users are able to login in my custom policy. I already implemented one, including MFA.
I was reading this article, but I am not sure if it is the right way. If so, I see I have to specify the client-id. What if I have more than one application using this policy, do I have to create a policy for each one?
The linked approach is correct. You specify a clientId which represents AADB2C user-flow/custom-policy as an “Application” to the AAD IdP. So this relationship can be used per AAD B2C user-flow/custom-policy or shared across all your custom policies and user flows.
It can be useful to have separate registrations at AAD so that you could target them individually for conditional access.
For multiple applications. we are using AAD B2C for our authentication system.
We have opted for custom policies. One of the reasons for this is that we want to allow different user groups to access different applications, in the following way:
superusers can access all Applications, including our CMS
product admins can access the customer facing CMS and the end product
product users can access the end product
For this, we have the policies:
B2C_1A_xxx_cms
B2C_1a_xxx_product
B2C_1A_xxx_customercms
In all policies, we do an API call to an internal authentication API, which validates the user's group memberships throught MS Graph API.
The problem is that these policies seem to be able to be used interchangibly:
https://{tenant}.b2clogin.com/{tenant}/b2c_1a_xxx_cms/oauth2/v2.0/authorize?response_type=id_token&scope={scope}%20openid%20profile&client_id={client_id}&redirect_uri={redirect_uri}&nonce={nonce}&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.4.4&client-request-id={client-request-id}&response_mode=fragment
In the above url, users can access the CMS by replacing b2c_1a_xxx_cms with b2c_1a_xxx_product, thus bypassing the group-based validation in place for the specific application.
The original implementation of our policies are based on this tutorial:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started
How can we configure these policies in such a way that changing the URL and trying to log in is impossible?
Based on your requirement, I think you need a the application assignment to users feature.
But it is only available in Azure AD rather than Azure B2C.
So I suggest that you use custom attribute to control the access of the user for different applications.
“ we do an API call to an internal authentication API, which validates the user's group memberships throught MS Graph API. ”
When User A calls Policy B, this API should return back a claim into the journey that prevents it from issuing a JWT. That can be achieved by creating a “block page” using a self asserted technical profile. Call this from the orchestration step using this claim from the API to trigger it with a precondition.
I have an Azure AD B2C tenant and with that i have implemented sign-in/sign-up flow in multiple applications and all are hosted.
In those applications some premium applications are restricted which means who bought some membership from our portal can only access it but the problem is whoever registered with our other applications (via AD B2C) can able to access the premium applications too.
The B2C tenant allows all users to access all applications. How to restrict some users who not having our membership from accessing premium applications?
Note:
In Azure AD, Enterprise Application option used for Role Based Authorization but i dont see equivalent option in AD B2C.
With built-in user flows you'd probably have to do the check in the app itself. With custom policies, you could implement a validation technical profile to the login flow. But going to custom policies just for that isn't worth it in my opinion.
As juaans mentioned, there is no direct way in built-in user flows. But there is a way which can make it easier. If the membership is stored as a custom attribute, the apps get the membership in a claim in the token. Once you have it in the token, its a very simple check in the authorization layer of the app. I am assuming app will be implementing some authorization for sure.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info