I'm trying to create a custom attribute on Azure AD B2C, I'm following this guide, but when in the Azure AD B2C screen I can't see the User attributes option on the sidebar, it pops up while the page loads, but then quickly goes away.
This is just a development site I've got, and I believe I've got all permissions, what am I missing here?
Link your directory to a subscription
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant#create-an-azure-ad-b2c-tenant
Related
I'm following the B2C directions here to secure my API, however the Azure B2C portal doesn't expose this feature fully. Instead it only allows for Admin consent, not user consent.
image of portal missing end user prompts
Is this feature fully supported?
Why would there be an admin scope and not an end user scope?
What scenarios is this custom permission expected to be used within, and am I trying to do something unexpected with B2C?
If you are configure this sample with your Azure AD B2C, you should follow this README file rather than B2C directions here.
The link you are following is not for Azure AD B2C. It should be for Azure AD.
I'm not sure why it's put into this path. Have opened an issue here.
Based on Add a web API application to your Azure Active Directory B2C tenant, user consent is not mentioned. I think it's not supported currently.
A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
I would like to change the Azure AD B2C default sign-in picture using the steps listed in this Stack Overflow answer.
However, when I log into the Azure Portal and find my instance of Azure AD B2C, and click into it, I see the following lefthand sidebar, which doesn't include the "Users and Groups" tab under the "Manage" section, but only includes the "Users" tab (which, if clicking into it, doesn't have "Company Branding" tab inside).
How can I find the "Company Branding" tab? Do I have to upgrade my subscription or something to have access to it?
(Also, one difference I noticed between the screenshots in the SO answer linked above and the screenshot I provided is that the link's Azure AD B2C instance name is spottedmahnb2c.onmicrosoft.com; the name of my instance is login.mydomain.com. Potentially this points to the difference.)
UPDATE
It seems that there is no "Basic" vs "Premium" subscription for Azure AD B2C. However, I am adding a bit more information.
This is the link that describes how to modify the login UI for AADB2C. However, when clicking on the "Company Branding" link, it takes me to an AAD page. Does that mean in order to customize the login UI for AADB2C, I have to visit AAD's "Company Branding" page?
In an Azure AD B2C tenant, you have access to two (2) different menus for tenant admin.
Azure AD B2C
Azure Active Directory
The second one has the access to Users and Groups and Company Branding.
In the portal.azure.com, upper right, within the context of your b2c tenant, select All services then search for "b2c" or for "Active Directory" to find select the menu blade.
The "Company Branding" option is useful ONLY for the b2c sign-in journey/policy. All other policy types are customized following this guide: Azure Active Directory B2C: Customize the Azure AD B2C user interface (UI).
From within your B2C Tenant
Go to Azure Active Directory
Select Company Branding -> Edit
Note: The company branding link was under B2C -> All users previously. Reference.
Previous
Missing for me too. Must be an issue in Azure. Azure Support on Twitter could probably help.
I've been following this guide to get a B2C AD up and running
Create the B2C directory in the old portal (http://manage.windowsazure.com) ensuring "This is a B2C Directory" is checked.
Register an application in the new portal (http://portal.azure.com) under the B2C blade
Create the sign in policy.
When I try and test the sign in policy with the "Run now" and try and log in with my local account (the same one which has created the B2C AD -- the global administrator for this new AD) all I am met with is "We don't recognize this user ID or password".
What have I missed here?
I am able to reproduce this issue too. If you want to manage the users for the Azure B2C tenant, you can login the classic Azure Portal from here. However, currently there are a couple of known issues with user management (the Users tab) on the Azure classic portal:
Refer here about the Azure Active Directory B2C: Limitations and restrictions.
And if you want Azure AD to enable to login with the default global admin account, you can submit the feedback from here.
I’m trying to create a single Sign-Up or Sign-In policy but I get the following error message:
There was an error while creating the policy ‘An object was not found while retrieving extension properties in tenant “73a55309-…”. Error returned was 404/Request_ResourceNotFound: Resource ‘7c7ab660-…’ does not exist or one of its queried reference-property objects are not present.’
Despite this error my policy has been created but I think it’s not working correctly because I’m trying to sign up on the default page and after this action I see blank page with ‘Bad Request’.
EDIT 1: I made all the steps on the basis of https://cgillum.tech/2016/05/27/app-service-auth-and-azure-ad-b2c/
EDIT 2: On the MSDN forum they suggest I delete my 'b2c-extensions-app' but I don't know what it is and where I can find it. I've checked it in Azure classic portal -> Active Directory -> My AAD B2C -> Applications my company owns: there is only my 'test' application.
SOLUTION: They are right on the MSDN forum. I've created a new AAD B2C and 'b2c-extensions-app' has been created automatically. After that I have no problems with creation of policy.
As you have already indicated, if you are seeing the error
"An object was not found while retrieving extension properties in tenant "
while performing any operation in Azure AD B2C, that indicates that the b2c-extensions app has been deleted.
It might be possible for you to restore the applications by leveraging Azure AD Graph's /deletedApplications endpoint. See this other post for more info: How to add b2c-extensions-app in Azure AD B2C
Alternatively, as per your approach, you can create a brand new Azure AD B2C tenant which will have this application and just be careful not to delete the b2c-extensions application again.