In my project, this a fundamental part of project. Windows Hello for Bussiness and MS Authenticator is secure and easily to use, the goal here is enable this in Azure B2C SUSI to increment safety and provide a fast way to SignIn for user.
The point is, has a way to do that in B2C? Replace normal password to a paswordless way authentiation
There is a possibility to achieve Multi factor authentication using Authenticator app. It is documented and a sample is provider here: Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Below is the user auth flow using TOTP:
At this time, MS does not support primary Auth using Authenticator for B2C. You can request this via the Azure AD B2C forum in feedback.azure.com
SMS and Phone verification are the options available as of now.
Related
How to login with MFA to a AZURE AD B2C App using the login url(URL given below) provided by microsoft?
Do we have any URL to validate users login with MFA Azure AD B2C?
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
That URL is only part of the flow.
The whole flow is here.
The easiest way to achieve this is to use one of the MSAL libraries.
MFA is not part of the OpenID Connect flow.
You have to add it.
We're considering to use Azure AD B2B OR B2C for SSO service. We will not be using Azure B2B built-in SSO login page OR B2C custom-policies based login page. We've our own custom login JSP page that we plan to use MSAL Graph APIs for calling Azure AD authentication services.
Questions:
Is this MSAL APIs applicable to B2C only, or can we use this with B2B tenant application as well? All the documents and guidance that I can take as an example uses B2C tenant app only.
If I am using MSAL OAuth 2.0 authentication services for my custom login page, I assume we don't need to rely on SAML SSO configuration. Or would it be possible to use mix of these services (i.e. SAML for basic login authentication, MSAL OAuth2.0 calls for self service account registration)?
I appreciate if anyone can shed some light on this.
Thanks.
B2B and B2C serve two different purposes. B2B is meant for you to use to invite external federated users to your directory using their own credentials whereby you can assign them access directly to your resources. On the other hand, B2C is a separate directory where you allow users to register, optionally using their own credentials from federated providers as well. If your aim is to SSO to a local AzureAD protected resource, then clearly you're going to have to tell that resource to use the B2C directory as an IdP as well. Hence, B2B is much simpler for SSO, but a big differentiator is scale. If you plan to invite a massive number of users, then this it is not a good idea to user B2B.
MSAL uses standard protocols such as OAuth 2.0 and OIDC to authenticate directly to any supported IdP, including Azure AD or Azure AD B2C. Being a guest user or not has no bearing on that process. It is also important to mention that B2C does require either a User Flow or a Custom Policy to function.
So to answer your questions to the best of my ability:
1- MSAL libraries work similarly for both Azure AD and Azure AD B2C. There may be some configuration differences in case of B2C to supply additional information regarding the policy name, etc. But they work all the same.
2- MSAL itself does not support SAML authentication. For that you'll need a library which can perform SAML authentication. While Azure AD supports SAML natively, Azure AD B2C requires you to setup a custom policy to configure SAML authentication.
Is it possible to combine Azure ad b2c and Azure MFA so users can use push notifications and TOTP codes in the MS authenticator app? If so how?
Apart of enabling MFA that uses SMS and voice calls which is supported and doesn't require any additional development, you can integrate TOTP-based Multi-Factor Authentication with Azure AD B2C.
This involves an additional development:
Custom policy to support TOTP flow.
Simple web-client (for presenting a page with QR code and reading user's input).
Two custom REST API endpoints (for generating secret key, QR code and validating TOTP code).
Sign-in flow with TOTP MFA:
For more details, please refer to Microsoft Azure AD B2C: TOTP multi-factor authentication sample implementation Github project.
Azure AD B2C supports MFA out of the box using voice calls and SMS.
Authenticator or TOTP is not currently supported but in the backlog.
I did not try AD B2C, but technically it seems possible refer to the links.
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#microsoft-authenticator-app
If you properly setup Azure AD B2C, you can add new account in Microsoft Authenticator App > Add account > (your AD url and code).
I’ve used AD with MS Authenticator App in my company and it worked well. So, Azure AD B2C could provide it also.
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.
I successfully implemented Azure Active Directory for user management/authentication/login in a web app, following this example:
Azure Sample AAD with Flask
I decided to try Azure Active Directory B2C because of its integration for the various social apps. However, I could not get the flask app to work using OAuth 2.0, since Azure AD B2C does not seem to be compatible with OAuth 2.0. I found some documentation that states Azure AD B2C requires Open ID Connect.
Could you please confirm whether Azure Active Directory B2C requires Open ID Connect, or whether it works with OAuth 2.0 as well?
Thanks
It is worth to not that Azure Active Directory B2C (AAD B2C) supports both OpenID Connect and OAuth 2.0 in that it uses these two protocols to exchange information and secure tokens. However, AAD B2C "extends" these protocols by introducing Policies to handle the user experience for Sign-up, Sign-in and general account management.
What does this mean? First of, it means that you cannot create your own sign-up/sign-in experience, you are restricted to redirecting the user to the right policy (which you to some extent can customize). You cannot create your own sign-up/-in UI for this and you are restricted to styling/branding the provided web-based UI for this.
So in order to Authenticate using AAD B2C you could follow this guide, it should be easy enough to adapt to Python. You simply redirect the user to the /authorize endpoint of the AAD B2C and then validate the JWT you receive
Azure AD B2C supports both OpenID Connect and OAuth 2.0 as noted in the official reference protocols documentation.
To be able to sign-in users with Azure AD B2C using OAuth 2.0 and Flask, you'll need to adapt the sample to follow the OAuth 2.0 approach used in this sample: An Android application with Azure AD B2C using OAuth. Key things you'll need to adapt:
You'll need to specify the B2C authorization and token endpoints: https://login.microsoftonline.com/tfp/TENANT_NAME/POLICY_NAME/oauth2/v2.0/authorize. Example from Android sample
You'll need to add your application/client ID as a scope. Example from Android sample
You won't be able to call the Graph's /me endpoint for token validation and to get user details. You'll need to validate the token and extract the claims from it yourself (ideally through a good JWT open source library since this isn't trivial, unfortunately I don't know any that I can recommend at this time).
EDIT
I've created a python sample for Azure AD B2C and used python-jose for token validation and claim retrieval. Check it out.
Based on the documentation here, Azure AD B2C supports both OpenID Connect and OAuth 2.0 protocols.
Azure Active Directory (Azure AD) B2C provides identity as a service
for your apps by supporting two industry standard protocols: OpenID
Connect and OAuth 2.0. The service is standards-compliant, but any two
implementations of these protocols can have subtle differences.