Does anyone know if Azure B2C works with SharePoint 2016 on-premises? This SharePoint environment in question is for external users not internal users. The objective is to move away from SQL Forms Based Authentication (FBA) to Azure.
As per this article below, in combination with Claims Provider, it is easy to configure:
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial
However, Microsoft's B2C FAQ says that:
"Azure AD B2C is not meant for the SharePoint external partner-sharing scenario; see Azure AD B2B instead". But Azure B2B is out of scope.
Azure AD B2C is not meant for the SharePoint external partner-sharing scenario. Please raise the new user voice or vote for similar user voice.
Related
Per the docs, there is no 'out of the box' way to enable Azure AD B2C users to interact with the M365 environment associated with the Azure AD tenant that was used to create the Azure AD B2C tenant.
Azure AD B2C can't be used to authenticate users for Microsoft 365.
Source:
Can I use Azure AD B2C to provide social login (Facebook and Google+) into Microsoft 365?
But I still need to be able to provide this functionality, i.e GET and POST requests to M365 via the Graph API.
To be clear, this is what I have achieved so far:
Azure AD B2C users can login
Azure AD users can login and interact with their own M365 environment via Graph API
(to enable this, I added the Azure AD tenant as an identity provider, per this article)
What I have not yet been able to figure out is:
How can the Azure AD B2C users interact with the M365 environment associated with the Azure AD tenant?
(that created the Azure AD B2C tenant)
To illustrate a use case for this requirement:
Company_A wants to enable external contractors to be able to submit compliance documents to them
They set up Azure AD B2C and create accounts for their external contractors
They set up a Node.js/Express web app on Azure
External contractors can now login to a web app and view forms designed to submit data and attachments
How can those forms send data and attachments to a Document Library in Company_A's M365 environment?
I have been pondering this issue for a while and can't conceptualise a mental or technical model of how this can be achieved.
Google searching related phrases doesn't produce any relevant content.
I am hoping someone will have the knowledge and experience to be able to say:
You will need to follow THIS paradigm which is documented HERE and involves doing THIS
Edit:
I am reading articles like these:
Get access without a user
which talks about scenarios where:
apps that have a signed-in user present may also need to call Microsoft Graph under their own identity
and contemplating adding Application Permissions (as opposed to Delegated Permissions) to my Azure AD B2C application registration.
Just to test the idea, I have added Sites.ReadWrite.All as an Application Permission and granted Admin Consent for that permission. How would I define this scope (Sites.ReadWrite.All) to be associated with the 'home' Azure AD tenant (as opposed to the Azure AD B2C tenant)? I am using msal-node which has a method named getAuthCodeURL() where you pass through the scopes required. I am assuming if I just added Sites.ReadWrite.All it would default to being applied to the Azure AD B2C tenant, rather than the desired Azure AD tenant?
M365 doesn’t exist in an Azure AD B2C tenant, you cannot apply a license for Office there. This simply isn’t possible.
For Graph API, you cannot use B2C issued tokens to call it. You must use underlying AAD Tokens to access it. Your server would need to perform Azure AD client credentials flow against the Azure AD endpoint of your AAD B2C tenant and ask for a token to Graph API. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Microsoft service scopes only apply to the underlying Azure AD endpoints of your AAD B2C tenant. They won’t mean anything at the AAD B2C login endpoints. Hence, the differentiation is made by the endpoint used.
An Azure AD B2C tenant has both endpoints:
AAD: login.microsoftonline.com/tenantId
B2C: b2clogin.com/tenantId
Since M365 env does not exist for B2C tenants, the MS Graph API is only useful to R/W user data. But, for this, you could just use the B2C user flows to R/W user profile data, and return user profile data into the B2C token, so you don’t have go call MS Graph API. This is actually the intended usage pattern.
My Azure web application will have both internal and external users. The requirements regarding authentication are:
Internal users authenticate with their domain accounts (with SSO)
External users authenticate through Azure AD B2C (we need to create accounts for them)
How can I set up such scenario?
Regards
George
If your internal users are using Azure AD - simple - you add your corporate AAD as Identity provider to your B2C.
There are various ways to do this. So start here.
If your internal users do not have Microsoft 365 (Azure AD), and you only have on-premises AD DS infrastructure - ... move to Cloud, things will be so much easier. If not, you need at least ADFS, then you can hook up ADFS as Identity Provider in your B2C.
There is no way to make Windows Integrated Authentication and Claims Based authentication at the same time for the app.
Our organization uses Azure AD and not Microsoft AD DS .
Does OneLogin integrate with Azure active directory as a 'Directory' apart from the traditional on-prem AD DS. Is there any way to use Azure AD as a directory.
There is an Azure AD application in the applications section, can we use it to import users from Azure AD? Seems like it's an SSO app only and does not do user provisioning/syncing!
Out of desperation, I also tried the Azure AD Connect to sync to a dummy on-prem ADDS to Azure AD and then sync this dummy ADDS to OneLogin, but this seems like a very hackish way to do it and has it's own host of problems.
I'm not able to figure out how to contact support; there is no support email mentioned on the website anywhere.
Not similar to Connecting OneLogin to Azure Ad, as I am trying to add Azure Ad as a directory and the aforementioned question is about an error in federation configuration in Office 365 application of OneLogin.
Any help on this would be immensely appreciated! Thanks in advance!
After a conversation with OneLogin support, here's a few ways to achieve this paraphrased:
"We are not able to utilise Azure AD as a classic on-premise directory (such as we might use for AD synchronisation using the OneLogin Active Directory Connector) although customers who pay extra to Microsoft and have enabled LDAP are able to use our "LDAP via SSL" option although this does not allow for any customisation.
We do have plans to deliver some expanded directory offering but there is no release date for this and you can register a vote and add use-case notes for this request using our IDEAS channel. On US based systems you can use the IDEAS button available at the bottom right corner of the administration screen otherwise access https://onelogin.ideas.aha.io, select your tenant and then login. Then look at https://onelogin.ideas.aha.io/ideas/IDEAS-I-1488
If you can generate a CSV list of users in AD then you can import users using a CSV file into OneLogin - still a manual process but you may find this less complex than using the on-premise server - see https://onelogin.service-now.com/kb_view.do?sysparm_article=KB0010529
The "Azure AD application in the applications section" is for going in the other direction and is for using SAML 2.0 with OneLogin as an Identity Provider and is used for Microsoft Azure AD tenancies where there is no Office 365 involved but users need access to other apps installed in Azure AD.
The other mechanism being used is to have Azure AD as a Trusted IdP and then also enable Just-In-Time provisioning. This allows the Azure AD users to authenticate to Microsoft and then have a SAML assertion sent into OneLogin and dynamically create all the required fields that the classic directory synchronisation might have allowed (see https://onelogin.service-now.com/kb_view.do?sysparm_article=KB0011181)"
I decided to try Just-In-Time provisioning, will update if any blockers!
I want to get user information, not only from Azure Active Directory, but also from Azure B2C Tenant Users. I was able to reproduce results for AAD users, but I couldn't find enough resource as for how to access to B2C Users (e.g. Gmail.com). I get this error when I swap to my desired clientid/clientsecret (fetched from Azure AD B2C - Application) in this project (https://github.com/microsoftgraph/aspnetcore-connect-sample):
'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.
I couldn't find the recent resources helpful, as a lot of Azure component changed. I would greatly appreciate your kind guidance!
If I understand your question correctly, you want to be able to programatically CRUD B2C Users.
AADB2C has a documentation for same using AADGraph (and not using Microsoft Graph)
Build user CRUD operations by using the Graph API
As of today,you must use the Azure AD Graph API to manage users in an Azure AD B2C directory. This is different from the Microsoft Graph API. The sample you referred to is not appropriate for managing B2C tenant users.
Before Azure AD B2C and Azure AD B2B come into the picture, usualy I added my applications to Azure AD of our tenancy and office 365 users could access the applications using their account (SSO).
I am not a guru so I need to see code and read about exact examples to understand the concepts.
Can I use B2C for SSO as I usually used Azure AD? otherwise how/when can I use B2C and B2B?
Thanks and appreciate all kind of advice.
Azure AD is a directory service with the goal of serving organisations and their needs for identity management in the cloud. You develop against Azure AD, you can secure your applications with it - their users in Azure AD tenants can use it.
Your application is targeted for a specific organisation or multiple organisations using Azure AD (Office 365).
Azure AD B2B is just a feature of Azure AD. It allows organisations to grant access to their applications and services for users from other tenants. From your app perspective nothing changes. It is still same Azure AD app. Azure AD B2B has an API which can be used to create flows for the invitation of users from another directory but it is not changing your app design, etc.
Azure AD B2C is another service built on the same technology but not the same in functionality as Azure AD. Azure AD B2C target is to build a directory for consumer applications where users can register with e-mail ID or social providers like Google, FB, MSA, known as Federation Gateway. The goal for Azure AD B2C is to allow organizations to manage single directory of customer identities shared among all applications i.e. single sign-on.
Azure AD B2C is not targeted at organisation users but consumers.
03.2021 Update: Microsoft has introduced a new solution which merges B2B and B2C - It is called "External Identities".
What is "External Identity":
It is a mechanism to allow you, to have external users, self-registration for them and control on their process, within your Azure AD (corp) tenants.
Why it is a merge between Azure AD B2C and Azure AD - those are external users, like in B2C, they can use their own username / e-mail (not a corp domain) and self-register, but within AAD Enterprise tenant. You can also extend authentication flows for External identities with calls to external systems similar like in AAD B2C.
Let's talk about scenario, application for schools:
Internal users -> Azure AD, covers internal applications, employees etc. in organization. User is in Azure AD
External users, like guest teachers from other school, partners -> Azure AD B2B, guest user in Azure AD
External users, but not associated with any organization, e.g parents who need an access to students grades in particular application -> External Identities, they can self-register, they exists within the context of specific app, you can call additional API to check, for example if they match the record in CRM during registration
External users, open to the internet, e.g. art contest for pupils -> Azure AD B2C. Anyone can register, students, teachers and employees can access it through Azure AD.
Pricing update: There is pricing update which affects Azure AD B2C and External Identities.
First - price is per monthly, active user (MAU). MAU means someone logged on at least once during the billing period (month).
Second - first 50k users in Azure AD B2C or external identities are Free. So first 50k users in a month, free - next are paid, so 60k active users within a month costs something like 16USD.
Simple:
Azure AD - apps for organisations and their corporate users
Azure AD B2C - apps for customers, like mobile apps, shopping portals etc.
For quick reference I've gathered this in blog post: https://www.predicagroup.com/blog/azure-ad-b2b-b2c-puzzled-out/
For update on External Identities and reference in video format, I've gathered it in this video: https://www.youtube.com/watch?v=E6S1yJKTB7c
Here is the 'official' doc comparing B2B and B2C