I'm doing a project where we want to centralize all the user's registration in our main website using Azure AD B2C.
In our internal web application we would like to choose which Application the user who have just signed up using B2C he/she could access. For example I could give permission to a user to access an Application A but not to access the Application B, so when he/she sign-in in this application A with B2C, he/she would successfully login, but in application B he/she would not be able.
In the previous project I did with Azure AD B2C, the users who have registered in one of my application could access all my other applications.
But in this case I don't want this, I would like to choose which applications a specific user could access.
Do you know if it is possible to do with Azure AD B2C?
Thank you very much in advance.
It is doable in Azure AD B2C. You are basically looking for authorization.
Please see below answer
Authentication vs Authorization?
Related
I have a Web API that is registered in an Azure AD B2C directory, secured by tokens from that same directory. To do that I have created an Application and created a scope.
I have a 3rd party that would also like to use this AD for their audience, who will access some of my API on behalf of the guest.
I wanted to create a new scope for this purpose and have the AD prompt the guest to allow the application to access their data on their behalf.
For some reason, when I create a scope I am only given the option of "Admin Consent". The "User Consent" fields that are shown in so many blog posts and instructions are not showing for me.
I have tried to register the 3rd Party Applications and API Applications in both the B2C blades and the AAD blades of the Azure Portal but the result is always the same.
Is there a Property or setting somewhere that needs to be ticked in order to enable User Authorized scopes?
There’s no such thing as OAuth2.0 consent in AAD B2C, only Admin consent is offered, as it’s aimed for your first party apps.
The user consent screens you’re seeing online are in regards to Azure AD, not AAD B2C.
For service partner integration, you can follow this example to create such a consent. https://github.com/azure-ad-b2c/samples/blob/master/policies/service-consent
I have an ASP.Net core web application and integrated authentication using the Azure AD B2C Tenant/Application. I'm able to authenticate and get the user claims in my web application.
But what I additionally want is to allow only certain customer users access the web application. I want to do this at the B2C Tenant itself. Right now any B2C customer user can sign in. Any help, ideas, insight will be appreciated.
You may know there is an Manage user assignment for an app feature in Azure Active Directory. But it's not available in Azure B2C.
Currently the recommended way to control the access in Azure B2C is defining custom attributes and check the claims in token.
If the expected claim is included, you allow the user to continue.
Log into Azure B2C
Click Users
Select a user
Click Applications
I created users in my B2C tenant by logging into my website using various OAuth identity providers. So for any user selected using the above steps I expect to see at least one application listed - that being the one the user signed into when their user record was created in Azure.
When I perform the above steps I only see applications listed under my own user name. I created all the users I see in my tenant so I know there should be apps listed with each user name.
More formally stated my questions are:
Given an Azure AD Application, how do I get a list of users that are authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user is authorized to log into?
I would like to accomplish the above tasks using Azure portal - I don't want to write script. Also, my purpose in asking these questions is to be able to delete or disable users as needed.
Azure AD B2C does not hold a mapping of Users who signed into an App to a specific Application Registration. By default, all users are authorized to sign into your apps if you have OAuth IdPs configured against the AAD B2C policy that allows authentication to your App.
You can use the AAD B2C Sign In logs to see which users have been logging into what applications.
Assigning or not assigning Users to Apps in the Azure Portal does not enforce any authorization, this is an Azure AD only concept and doesnt apply to Azure AD B2C.
The process you followed(Users->select user->application) will only be able to see the applications listed under your tenant.
In the same manner when you choose an application and select the users/Groups you will only be able to see the users who have accessed your application.
Based on application/user->application you can remove the access from that application.
Regarding the
Given an Azure AD Application, how do I get a list of users that are
authorized to log into that app?
Given an Azure AD User, how do I get a list of applications that user
is authorized to log into?
The list of users/application authorized details are completely depend on the application consent flow.
Application developers can dictate what types of permissions are being requested and if they want to guide users through the user consent flow or the admin consent flow. If the application is provided with user consent flow based on the consent acceptance any user can access that particular application.
Admin consent flow is when an application developer directs users to the admin consent endpoint with the intent to record consent for the entire tenant. Application access grant to the requested data on behalf of the entire tenant.
For more details on the consent and permission please go through the document
I have what seems on the face of it a simple requirement when using Azure AD B2C. I have two applications (App A and App B) registered in Azure AD B2C. I want to restrict access so that User 1 can access both App A and App B, but User 2 should only be able to access App A.
I can register appRoleAssignments and assign them to a user via the Azure AD Graph API with a zero id as per this question When a user logs in, I can then query these and restrict access myself, but it feels like I'm reinventing the wheel and this should be provided by B2C.
Is this something Azure AD B2C is able to provide out of the box?
Azure AD B2C does not currently have first class support for application assignments.
As you've indicated, you'll need to implement this yourself.
You can request this feature in the Azure AD B2C Feedback Forum
I think the way you are doing it is the correct way, eventually Azure B2C will support role and group claims and this extra step wont be needed.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info