I configured a new Azure AD B2C Tenant for testing purposes. I am trying to follow the example to use Azure AD B2C with Android.
https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth
I created beside the B2C Tenant already a User Flow for the login.
During the authentication flow the app wants to read the "well known openid configuration" for my User Flow
https://login.microsoftonline.com/geomobilestage.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_login_signin
but the URL returns a 404 error. But when I try the following URL to read the configuration I receive http status 200
https://geomobilestage.b2clogin.com/geomobilestage.onmicrosoft.com/B2C_1_login_signin/v2.0/.well-known/openid-configuration
The URLs are public so everyone can try to call them in the browser to see the result.
So the configuration itself exists and seems to be ok. I have already another Azure AD B2C tenant and when I try to call the first URL for this tenant everything is fine. It seems to be that I am missing some configuration in the Azure portal but I really have no idea what I am missing and even where to look.
Regards
Michael
For Azure AD, see here:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
For Azure AD B2C, see here:
https://{domain-name}.b2clogin.com/{domain-name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
The key thing here is to realize that the b2c config endpoint has a reference to a policy in it, otherwise it’s likely AAD.
Related
I have SPA made by react.
And user authentication is done with Azure AD B2C.
Right now, we are trying to figure out a mechanism to get an access token to access the backend after a user logs in.
The backend is Azure functions.
I think it is set up through "Application Registration" in Azure AD B2C, but I don't know the details.
I see that there is an azure functions URL
http://[yourapp].azurewebsites.net/api/[funcname]?code=[functionkey]
but where should I set it?
Please tell me...
No, functionkey is an authorization at the function level, it has no relationship with Azure AD B2C. You need to add some code to send the received bearer token against Azure AD to validate it.
There's a full sample about how to do it in here: https://medium.com/cheranga/azure-functions-validate-azure-active-directory-tokens-using-your-own-custom-binding-4b4ff648d8ac
I'm following the B2C directions here to secure my API, however the Azure B2C portal doesn't expose this feature fully. Instead it only allows for Admin consent, not user consent.
image of portal missing end user prompts
Is this feature fully supported?
Why would there be an admin scope and not an end user scope?
What scenarios is this custom permission expected to be used within, and am I trying to do something unexpected with B2C?
If you are configure this sample with your Azure AD B2C, you should follow this README file rather than B2C directions here.
The link you are following is not for Azure AD B2C. It should be for Azure AD.
I'm not sure why it's put into this path. Have opened an issue here.
Based on Add a web API application to your Azure Active Directory B2C tenant, user consent is not mentioned. I think it's not supported currently.
I am a bit confused by the wording on the announcement for the deprecation of login.microsoftonline.com for "B2C tenants".
New tenants created after this announcement will no longer be able to accept requests from login.microsoftonline.com.
My main concern is: How will this affect the client credentials grant? As far as I can see, this is only supported via login.microsoftonline.com.
Although client credential flow is not currently supported by Azure AD B2C, you can set up client credential flow using Azure AD. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants. The client credential flow is supported using the Azure AD functionality of the Azure AD B2C tenant.
Will the "Azure AD functionality" continue to work with login.microsoftonline.com indefinitely? If so, where can I draw the line of what this actually means?
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
My current understanding would be that "everything that uses B2C policies must use b2clogin.com" - everything else must continue to use login.microsoftonline.com.
Without policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => 404
With policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
(my tenant is not actually named mytesttenant)
I think you will still be able to use client credentials flow in Azure AD B2C tenant.
The deprecation of login.microsoftonline.com just affects the Azure AD B2C functionality.
However, the client credentials flow is an Azure AD functionality, it should not be affected, the B2C tenant just shares the functionality with the normal Azure AD tenant.
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
I suppose we can but we should not do this, as the UI has been changed, MS should not want the new users(create B2C tenant after the announcement) of Azure B2C to use login.microsoftonline.com, the implementation has not been changed, it will give other users a transition period.
I got an official answer back via Github.
Use of b2clogin.com is enforced for b2c functionality only. Client Credentials flow is not supported for B2C Applications. Since the App registered via App Registration under Azure AD B2C, can also be used for standard Azure AD as well which supports Client Credentials flow. For standard AAD functionality, use of b2clogin.com is not applicable and requires login.microsoftonline.com only.
For more details, refer to: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps#daemonsserver-side-applications
Using the MS documents listed below I have tried repeatedly to authenticate against AAD as an idp and I cannot get it to work. Every time I get the following error:
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application:
I read the documents on this error, and cannot find anything that does not match. My question today has anyone actually been able to connect to AAD using B2C as indicated in the documents below without doing any custom coding? If you have actually done this, I would like to know how you did it. And I would like to know what I am doing wrong.
I'm trying to connect to AAD in the base subscription. In this same subscription also resides the B2C tenant. Is that possible, or must it be an external AAD?
Please only respond if you have actually done this.
Documents that I have followed:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp
https://blogs.msdn.microsoft.com/jpsanders/2018/01/30/azure-app-service-error-aadsts50011-the-reply-address-http-azurewebsites-netsignin-oidc-does-not-match-the-reply-addresses-configured-for-the-application/
AADSTS50011: The reply URL specified in the request does not match the reply urls configured for the application
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-web-app#run-the-sample-web-app
https://blogs.msdn.microsoft.com/azuredev/2017/05/30/azure-ad-b2c-kicking-it-up-a-notch-with-support-for-aad-as-idp/
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
This is related to the reply URL that is registered for Azure AD B2C in your Azure AD tenant.
If you're using the your-tenant-name.b2clogin.com domain with Azure AD B2C (recommended), then the reply URL must be set to:
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
If you're using the login.microsoftonline.com domain with Azure AD B2C, then it must be set to:
https://login.microsoftonline.com/te/your-tenant-name.onmicrosoft.com/oauth2/authresp
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!