Azure AD B2C Application not available when signInAudience = AzureADMyOrg or AzureADMultipleOrgs - azure

I'm new to Azure AD B2C so I'm not fully certain of its capabilities. Either way, I'm trying to limit the access to one of my registered applications to users from the same AD B2C tenant (single-tenant scenario). The only way I was able to do this was through the App registrations (Preview), the Legacy Application registration doesn't seem to support this.
Once I set the single-tenant option, the application starts to appear under the Owned Applications tab on the App registrations (Preview) blade but I cannot make use of it. Whenever I try to run a default or custom flow I get this error:
The provided application with ID 'XXXXXX-XXX-XXXX-XXXX-XXXXXX' is not
valid against this service. Please use an application created via the
B2C portal and try again.
I also tried to set the multi-tenant scenario (AzureADMultipleOrgs) but I still get the same error. The only way I can make this work is by using the AzureADandPersonalMicrosoftAccount which leaves the app open to everyone and that's not what I need.
Am I missing an extra configuration or is this still not supported?
Thanks!

You need to use the B2C specific Application Registration option for it to be compatible with Azure AD B2C User Flows or Custom Policies. If you then need to further restrict the user base who should be able to login to the application, then you would need to implement some RBAC, see this sample:https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac
In AAD B2C, the Application Role assignment and Application Assignment is not honored, these are Azure AD concepts that are not respected by Azure AD B2C auth policies.

Related

Azure AD B2C Authentication - Restrict to only certain customer users

I have an ASP.Net core web application and integrated authentication using the Azure AD B2C Tenant/Application. I'm able to authenticate and get the user claims in my web application.
But what I additionally want is to allow only certain customer users access the web application. I want to do this at the B2C Tenant itself. Right now any B2C customer user can sign in. Any help, ideas, insight will be appreciated.
You may know there is an Manage user assignment for an app feature in Azure Active Directory. But it's not available in Azure B2C.
Currently the recommended way to control the access in Azure B2C is defining custom attributes and check the claims in token.
If the expected claim is included, you allow the user to continue.

What is the Distinction Between Registered Apps That Can And Cannot Authenticate Using B2C?

Some of the applications registered in my Azure AD B2C directory display this message on their overview page:
You can use this application to authenticate against Azure Active Directory, but not Azure AD B2C
Many others do not.
Since my code will rely on B2C authentication using client ID's from these registrations I need to know whether I can "fix" these application registrations or whether I need to create new ones.
What's the difference between these applications? Is it the way in which they were created, or is it setting(s) that can be adjusted to permit B2C authentication?
Clicking on the message itself only links to the Azure B2C overview page, which is not very specific help.
To test the concept, I'm using msal 1.1.3 and a simple client side configuration. But as this message appears on the azure portal dashboard I don't think that's at issue:
const msalConfig = {
auth: {
clientId: `${MyClientId}`,
authority: `${MyAuthorityURL}`,
redirectURI: `${MyRedirect}`
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: true
}
};
const msalApplication = new Msal.UserAgentApplication(msalConfig);
B2C does not support Daemons/server-side applications, Web API chains (on-behalf-of flow), or faulted apps (i.e. apps edited on other application portals such as the application registration portal; apps edited via Graph API; or apps edited via Powershell). Was the app ever edited in one of these places? If that is the case you will need to delete and recreate the application. This document describes the kinds of apps supported and not supported within B2C.
Also, of course make sure that the application is registered in b2c and not just in the regular AAD. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications
Since the message in the screenshot does not appear to be documented I have reached out to the product team to ask for a more detailed explanation of that message and its context. I will update this thread as soon as I have that.
Since my code will rely on B2C authentication using client ID's from
these registrations I need to know whether I can "fix" these
application registrations or whether I need to create new ones.
You need to create new applications under Azure AD B2C.
If you created the application under Azure Active Directory and open it under Azure AD B2C, you will see that warning.
What's the difference between these applications? Is it the way in
which they were created, or is it setting(s) that can be adjusted to
permit B2C authentication?
One is used for Azure AD, and the other one is used for Azure AD B2C. Yes, it is in the way they were created.
I have answered this question here - microsoft graph rest api beta: application created by api in azure ad b2c is not valid
For an application to successfully work in AAD B2C(get a token), it has following requirements
It needs to have a service principal
Consent to openid and offline_access scope on Microsoft Graph service principal in the tenant
Azure Active Directory does not have these requirements but Azure Active Directory B2C does.
The reason is that consent experience cannot be shown to the enduser in Azure Active Directory B2C while in Azure Active Directory, it is shown to the user.

Azure AD B2C issues referencing another AD App: Select API drop down is always empty

I'm using this sample as a starting point: https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/
But instead of calling an existing API I'm trying to call graph.
The actual issue I'm running into is that when I go to reference any API/APP in my B2C app there are no options under 'Select API'
What I am trying to reference is a AD App I created that has access to Graph.
I tried a number of the suggestions listed here: Azure AD Application not appearing in existing AD App list for an Azure web application
Including adding myself as the owner of the AD App, but I can't make it appear in AD B2C.
I've also tried signin in and out and I've tried a couple different browsers just in case.
My B2C tenant isn't linked to a subscription so that could be the issue but I'm not sure why since both my AD B2C and my AD App live in the same tenant.
Access can only be granted from one Azure AD B2C-registered application, i.e. the client application, to another Azure AD B2C-registered application, i.e. the resource application.
The Graph API is not an Azure AD B2C-registered application.
Alternatively, you'll either have to implement a backend for the frontend, where it's the backend application that integrates with the Graph API or implement a custom policy that interacts with it.
If you want to call you need to register an application in azure ad tenant. And azure b2c cannot find the application which has graph api permissions. Because it is not in your b2c tenant. Regarding how to call graph api, please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet

How to configure SSO for Azure AD B2C?

As per Azure AD B2C documentation we can configure SSO for Azure AD B2C application. We want our user to do self-registration for the application thus opted for AD B2C.
However after creating B2C tenant account and configuring all the policies. I am unable to find option to configure SSO. Since after 30th Nov 2017, Active Directory will only be available in new portal. Kindly provide reference wrt new portal.
. Any help will be appreciated.
Thanks in advance.
SSO integration in Active Directory is totally different from SSO integration in an application through AD B2C. It took some time for me to verify all the links and steps. Hope this will help others.
Below are the steps to configure SSO in AD B2C. Create AD B2C and configure all the policies.
Once you have configured all your policies go to ALL policies node, it will list all the present policies in your application. Then click on singin policy. Alternatively you can directly click on sign in policy.
Once you click the EDIT option, you will see the option for 'Token, session and single sign-on configuration'. Configure those and you are done to use SSO.
For more details about the token, session and sso config please refer here
Create couple of application to verify that the SSO is working fine.
Happy Coding.
As the document in the your question said,if you have multiple applications and policies in your B2C tenant, you can manage user interactions across them using the Single sign-on configuration property. You can also add external identity provider like Google, Facebook and etc.
If you want to know how it works and how to configure SSO in Azure AD B2C, you can refer to this document.
Also, If you want to configure SSO for applications in your B2C tenant(the Directory).
Go to Azure portal > Enterprise applications> Add Non-gallery applications or in applications in Gallery.
After adding apps in Enterprise applications, you can select your app and enable SSO for it.
Hope this helps!
Update
Adding custom applications requires Azure AD Premium.
You can also active Azure Active Directory Premium free for one month.
Now, you can add your own custom applications in Enterprise Applications and then configure SSO for it:

Using policies with azure app registrations vs using policies with azure b2c applications

I am using Custom Policies on Azure B2C.
When I want to run the Custom Policy I can choose the application which I want to use with the policy. I saw that I'm not only able to use my applications from Azure B2C, I can use the applications from the App Registration section.
What is the differences. I've been able to signup and sign in users with both types of applications.
Thanks in advance!
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration in Azure Active directory.Also, the apps in the Application Registration should not be visible in the B2C .
In your issue , I assume that you should have add two apps in the two places.
What is the differences.
Application in Azure AD B2C :To build an application that accepts consumer sign-up and sign-in, you first need to register the application with an Azure Active Directory B2C tenant.
Application Registration in Azure AD: This creates an Application ID for the application, and enables it to receive tokens. In order to get a client ID and secret from Azure, you have to register the app and provide some basic information about it, including what resources your app wants to access, and what permissions it needs.
Depending on your scenario, you could register an application in both portals, and use the right one depending on the request you need to make.
The apps that are registered through each different location (Azure Active AD versus Azure AD B2C) are given credentials that are valid for any policy, including custom policies you have uploaded.
The end result is the same: you have an application that is registered with and can access the policy regardless of how that app/policy was created.

Resources