When you create a B2C tenant and prompted to provide a temporary .onmicrosoft.com domain, the tooltip says that this can be changed later on to a domain our organization currently uses.
How do we go about accomplishing this and changing the domain?
Thanks!
Please refer to Add your custom domain to Azure AD.
After the custom domain is added, you may add a local account with it.
As per the FAQ:
"Can I use my own URLs on my sign-up and sign-in pages that are served by Azure AD B2C? For instance, can I change the URL from contoso.b2clogin.com to login.contoso.com?
Not currently. This feature is on our roadmap. Verifying your domain in the Domains tab in the Azure portal does not accomplish this goal. However, with b2clogin.com, we offer a neutral top-level domain, and thus the external appearance can be implemented without the mention of Microsoft".
Related
we currently work on site that uses Azure B2C authentication for "normal" public users. The site has an admin backend that need "admin" users login. How do you do that? In azure B2C we can't have groups to identify which is an Admin. Can I use custom attributes like Admin-Boolean and set it to true in the Azure users portal? It is secure enough?
Unfortunately there is no easy solution here IMO.
Yes, you can use custom attributes to solve this problem.
You can set those custom attribute(s) via the Azure AD Graph API.
Then in your app you have to check those custom attribute(s).
The first problem with that solution is there has to be an account created to set those claims on. Depending upon your app this could be an inconvenience or pain point.
You can also set those attribute(s) on sign-up but that requires custom policies which is a whole nother animal IMO
I have a subscription to Office 365 Azure AD, I have developed a MVC application to authenticate by Owin OAuth2.
In such subscription I have 3 custom domain names, I have customized the login page in the configuration option brand, but this changes me for all domains registered in my subscription, implementing a federated server for each domain registered my subscription could customize the login page of each unmodified my development?
Azure AD branding is configured on tenant-level so AFAIK you can't have different branding for the custom domains. You would need to make a separate tenant for them. You can set different branding for different cultures but that does not really help with this.
This is a really good AAD requirement though!
vote it here
meanwhile, you'll have two options
Create a generic branding with logos from all 3 domains (probably not acceptable)
Use ADFS and federate diferent domains to different claims using the SupportMultipleDomain switch. Help here and here
As mentioned by #evertonmc and #junnas this is tenant level. However, as you suggested, implementing a federated server for each domain would work - But in this case, the customization should be at ADFS level (if ADFS is the IDP) or it depends up on the IDP providers which you would use.
Microsoft Recently added the new "sign-up or sign-in" policy to Azure AD B2C.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-policies/#create-a-sign-up-or-sign-in-policy
By default when we direct a user to that page it shows the sign-in workflow.
Sometimes I may want to take a user directly to the sign-up workflow instead.
I don't want to configure two policies (i.e. upload the same banners, templates, backgrounds, redirects, special messages etc) when the content is going to be exactly the same for both.
Is it possible to pass a parameter (or some otherworldly trickery) so that it shows the "sign-up" workflow instead?
Currently there isn't a query parameter or policy setting that will take the user straight to the local account sign-up pages in a SignUporSignIn policy. Today you would need a separate sign-up policy to direct them directly to sign up.
You can use hello.js for Azure B2C with some customization in initialization, which is build for external authentication of google facebook etc. You can also look into the sample from microsoft which works !! Azure B2C
I am currently developing a WebApi 2 service which is hosted in Azure. I now need to add Authentication and ideally Authorization to this service. I was expecting to be able to do this with Azure Active Directory but have a number of questions
Will my users have to login via the standard Azure sign in portal?
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Will I programatically be able to modify a users details such as forgotton password etc
Sorry for the general question, but I am stuck trying to find out if I am looking at the right technology to be able to meet these requirements. If not, would really appreciate any suggestions on what to use instead.
Will my users have to login via the standard Azure sign in portal?
Yes, but the branding of the portal can be changed in the basic and premium editions of Azure AD.
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
No, you can register your own domain and associate it with a directory. Or you can sync on-premise accounts to an Azure AD directory and use those email addresses.
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Yes, using the Graph API you can create and manage users. You can also assign them roles or make them part of a security group.
Will I programatically be able to modify a users details such as forgotton password etc
Yes, using the Graph API.
I am trying to do SSO using Azure AD. I have setup my application on azure AD but on domains tab under my domain name, in field Single Sign on i get value as Not Available. How can I make it available ?
You need to prepare your AAD for SSOor for o365 apps. Check this KB on how to prepare, setup and troubleshoot AAD SSO issues: https://support.microsoft.com/en-us/kb/2530569
Hope this helps.
Yes. Generally we need to setup SSO for a domain to see the status for "Single Sign-On).
See my page. For me it shows "Configured" (Because I have ADFS SSO setup) and Not planned (for Managed Domains).
For onmicrosoft.com domains, it will show "Not Available" and it is by Design logically since onmicrosoft.com is provided to you by Microsoft and we cannot do any type of SSO with that domain.