Consider the following case, for my application:
I have a website
The website sits on top of an azure api and gets data from cosmos DB
The data from cosmos DB is specific for different organizations
Different organizations should be able to have an "admin" appointed by me
The organization "admin" should be able to add his colleagues under the same organization
The users within a particular organization should only be able to view the data specific to their organization
Considering the above use-case, I have thought about using Azure B2C because:
Everything is already inside azure
I don't want to do security myself
However, I am unsure, if it is actually possible to achieve this with azure B2C? I can't seem to find any similar use-cases in the AD documentation. Hence why I start to think, that I'm going in a wrong direction...?
Therefore, can Azure AD B2C offer, what I want to achieve? (do I need a tenant for each Organization)
In case, Azure AD does not offer support for my use-case, what would you then recommend me to do?
As a white-label service, Azure AD B2C cannot be used as a built-in security provider for other Azure services without writing custom code to translate whatever authorization model you maintain in Azure AD B2C into access patterns for CosmosDB or other Azure services.
CosmosDB does have it's own in-built notion of users and permissions which you might map in some way (using custom code) to Azure AD B2C users. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data#users
You could also use CosmosDB's integration with Azure AD (not B2C) for RBAC controls: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
Finally, Azure AD B2C does not provide any out-of-the-box administrative tooling for the kind of delegated user administration model you described. Again this would need to be a custom coded admin UI or you'd need to use a third-party solution such as Saviynt for delegated administration: https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-saviynt
Related
I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.
We have an Office 365 tenant that we are using for our basic AD functions (joining desktop PC's, authentication, etc..) for our organization.
We're also building a stand-alone mobile and web application. We have an Azure subscription we've tied to our primary AAD tenant. And we're likely to have a separate dev/test subscription.
We're wanting to join our applications resources to an AAD for management purposes, but my question is should we join these to our regular AAD? I don't think that's wise. So what are the alternatives? Create another AAD? We plan to use Azure B2C for the web and mobile authentication.
Do we create another tenant? Partition our primary tenant off in some way (like traditional AD forests and trees)?
I'm trying to keep the application isolated for security purposes from our organizations usage.
FYI, we do not have any on-prem legacy AD.
This depends on what the purpose of your applications are. if you are selling your application and creating a multitenant application, etc. There may be a case for separate tenants (B2C).
But in general, try to avoid creating too many tenants, it can become a management nightmare.
Now to answer some of your specific questions. When you create azure b2c, it is actually a new AAD Tenant, with a different domain name.
In terms of the dev/test subscription, it should be a subscription tied to the same AAD tenant. You would not create a separate tenant for that. unless you absolutely need to test things with a totally separate Directory (eg, editing random Global Azure AD settings that you don't want to do in your primary tenant) but again, that means it becomes a management nightmare as 1: you don't want to create multiple users in different tenants for the same person. This means you'll need to use azure b2b, to federate users and setup separate permissions, etcetc.
In azure Ad you cannot create child domains, that concept is different from on-prem AD. its just not how it works.
Here's a good read on some of the rarer scenarios to create more tenants:
https://itconnect.uw.edu/wares/msinf/aad/new-aad-tenant/
If you plan to use B2C then the app registration should be done there. You can later federate with your primary AD tenant.
Azure AD have B2B collaboration for inviting external users.
But what if i wan't to invite an external Azure service that have a MSI.
Is it possible to create an Azure AD group and add a external(another subscription/tenant in Azure) MSI which i can then use to grant access to resources?
Say I wan't to allow a B2B partners Data Factory access to SQL database of ours and I do not wan't to give them a SQL Login.
MSIs are service principals which cannot be invited to other tenants. They are always tenant-specific.
The scenario sounds like you need to give access to something connected to your tenant.
I would suggest creating an App registration (Application),
adding a key, and giving those credentials to the other service.
You can then give the application access to your Azure subscription etc.
Is there a recommended Azure AD strategy for managing internal and our partner users?
We know we can add external users to our Azure AD but we would like a clear separation between the internal and partners users.
I see in Azure you can add another Azure AD so wondering if we can add a new just for external users. But I'm not sure what effect this would have to our current company Azure AD and whether it would have access and/or impact on the features we have in our Azure AD (e.g. O365/Sharepoint/etc).
Or is it recommended just to use groups in Azure AD to separate the internal and external users?
is it recommended just to use groups in Azure AD to separate the
internal and external users?
I think this is the best way to manage your users and partner users.
If you add partner users to another Azure AD, they will not access your default Azure AD resources and app.
Different Azure AD have different resource groups and APP.
Our company is considering using AAD B2C as the backing store for our SaaS user accounts. Our plan is use Resource Manager templates to deploy the Azure infrastructure (web, storage, sql, etc) for each client. AAD B2C will be part of that if this works out, but as of now there doesn't appear to be a way to include AAD B2C in resource manager templates.
My view of the intent of the B2C product is that it serves as a replacement for the auth and user store components of an app, and should therefore be considered infrastructure. Right now the hierarchy between AAD and resource groups in the new azure portal doesn't reflect that - resource groups (and their resources) appear 'under' an identity in an AAD account. But why is that? Is an AAD a parent to a resource group? I'm trying to understand how the two fit together.
If AAD B2C is really intended to serve this purpose when it leaves preview, it will need to support automation. After a quick search I can't even find code samples to provision a new directory, let alone do so using Resource Manager templates.
Am I looking at this all wrong?
Currently there is no way to automate the creation of an AAD B2C tenant like there is also no way to automate the creation of an AAD tenant.
After you created a tenant you can access it programmatically via the Graph API. You can read more about this in the documentation: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/.
The first paragraph of this documentation mentions the following:
Azure Active Directory (Azure AD) B2C tenants tend to be very large. This means that many common tenant management tasks need to be performed programmatically. A primary example is user management. You might need to migrate an existing user store to a B2C tenant. You may want to host user registration on your own page and create user accounts in Azure AD behind the scenes. These types of tasks require the ability to create, read, update, and delete user accounts. You can do these tasks by using the Azure AD Graph API.
Caution: at the point of writing this is still in preview so the API can change any time and you have no SLA.
For the latest status about which Azure services support ARM you can read this page: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-supported-services/