I'm building a SPA web app and API on MS Azure. The application needs to authenticate users that aren't part of the organization's Azure AD Directory (and shouldn't be). We are using a B2C directory (tied to the same subscription) for this with local users.
We need to store a file in Azure Blob Storage. We set up the container in the organization's AD Tenant. I want the SPA application to retrieve the file directly from Blob Storage. I tried exposing the Blob Storage permissions in the app registrations which are in the B2C Directory, but it won't allow exposing the permission because the Directory doesn't have a subscription (I did register the B2C Tenant with the organization's subscription).
So my question is - do I need to set this up as a multi-tenant situation between the organization's Directory and the B2C Directory? So setup an app registration in the organization's directory, make it multi-tenant, and expose the needed Blob Storage permissions? Or is there a better way to do this?
As far as I knew, the Azure AD B2C local user account cannot be used to do Azure AD auth then access Azure blob. Because the email address that you use to create account using your 'Sign in / Sign up' user policy is just as “SignInName”. We just can use it to finish Azure AD B2C Authentication. To finish Azure AD Authentication, we need to use "userPrincipalName". But your users cannot get it by themselves. Meanwhile, for security reasons, Microsoft does not recommend customers provide “userPrincipalName” for their users.
So if you want to access azure blob in your application, I suggest you can create a SAS token for the blob or the container which you want to access. For more deatils, please refer to the document.
Related
We are running Azure AD B2C to authenticate users in our application. We also managed to codify almost everything with Terraform and are pretty happy with it. Now we are attempting to move these manifests under Azure Devops Pipelines and are stuck with access problems.
Azure Pipelines use a dedicated service principal in the main (non B2C) Active Directory to perform its operations. We granted this SP enough permissions within the target subscription to handle Terraform resources. But I cannot find any way to grant this SP any permissions on the B2C directory. I can invite users from the primary directory to the B2C, and it works fine, but SP is an application, not a user.
Is there any way to "invite" an application from the primary directory into the B2C directory?
Is there any way to "invite" an application from the primary directory
into the B2C directory?
If your app registration support account types is Accounts in any organizational directory (Any Azure AD directory - Multitenant), you would be able to add the same service principal in your Azure AD B2C Tenant
As you want to use the service principal in Azure Pipelines to handle Terraform resources, it is suggested to use separate service principals for Azure AD and Azure AD B2C as Authentication will be different for the service principal with multi-tenant account support type
I want to deploy an application on Azure. I want users to be able to authenticate in my app without a Microsoft account. This guided me to use the AAD-B2C service. I followed the tutorial shown here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant expecting that this will create a new AAD-B2C Directory in my existing Directory and tenant. I had in my mind something like the following tree:
Subscription: Pay-As-You-Go
Directory: Default
Resource Group: Default-EU
Tenants: Default, Application
User Pools: Default(Internal Users), Application(External Users)
I'm not sure I understand how this works and I'm very confused. Is it possible to use external sign-ins from users that don't have a Microsoft account without creating 2 tenants and 2 directories under my subscription?
When you create a B2C tenant, there are two completely different entities that get created - B2C Tenant Resource and B2C Tenant/Directory itself.
The B2C Tenant Resource gets created in the subscription linked to your standard Azure AD tenant (Default Directory e.g., contosocorp.onmicrosoft.com) you used to create the B2C tenant from. This resource is primarily used to change your Azure AD B2C tenant's pricing tier.
A separate tenant for your B2C directory gets created (e.g. contosob2c.onmicrosoft.com). This is an independent tenant/directory than your Default Directory and is not stored in the default tenant.
The way subscription is linked to standard Azure AD tenant is different than the B2C tenant. A subscription in B2C is required for Support, Billing, Custom Policies, and using the Identity Experience Framework. You cannot create resources for Static Web App or Function App, or Cosmos DB in the B2C tenant and you will have to use your Default Directory for this purpose.
Azure AD B2C is different from Azure AD. So, when you create Azure AD B2C, it creates another tenant
You need to create Azure AD B2C Tenant in the same subscription in which your application is deployed
Create an App Registration in your Azure AD B2C Tenant
Go to your web application and select Authentication. You can add your app registration details in the identity provider
Reference: Azure App Service Authentication (Ez Auth) with Azure AD B2C - DEV Community
We have a static website in Storage account with BE in Function App.
We would like to use Azure AD for authentication.
When I register app, I can see 2 options:
Who can use this application or access this API?
Accounts in this organizational directory only (Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Issue is that Azure AD we would like to authenticate against is in different tenant.
So we want something in between Any Azure AD and THIS Azure AD.
Is there a way to achieve that?
Register the app in the different tenant directly with the Single tenant option.
The fact that the app is hosted in a subscription linked to another tenant does not matter.
You'll need someone who has a user account in the other tenant to register the app in that tenant or they need to give your user access there.
You can switch the tenant that you are looking at in Azure portal from the top-right.
Click your username -> Switch directory -> Select the tenant from the list.
I am currently using Azure AD app (Client Id and Client Secret) of one directory to get users details and Azure resources of the attached subscription though MS Graph and Azure Management API. Now i have added one more directory and subscription under my management group . I want to know if i created a multi tenant Azure AD app through App registration , can i access the users of other directory ? If yes what configurations are required ?
If you want to use a single Azure ad application to access different Azure AD directories, then you must configure the application as a multi-tenant application. Because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other Azure AD tenants. After the administrator consent, it will be added to other organization tenants as an enterprise application in. In addition, different tenants need to use different access tokens.
I have application in asp.net and uploaded to Azure App service. I have file upload on the azure blob. Here issue is my blob is accessible to public I want to access images and docs in the blobs only accessible when my application is logged in. If I log out then those should not be access. How can I achieve this using azure blob storage?
In this case, you can configure the web app with Azure AD auth(Easy Auth), follow this doc.
After doing the steps in the doc above, it will create an AD App in your AAD tenant. Navigate to the AD App in the Azure Active Directory in the portal -> API permissions, add the delegated permission of Azure Storage.
Then navigate to the authsettings of the web app in the resource explorer, add ["resource=https://storage.azure.com"] to the additionalLoginParams, details see this blog.
Navigate to the storage account in the portal -> Access control (IAM) -> make sure the user account has a role e.g. Storage Blob Data Contributor, if not, add it for the user, follow this doc.
After doing the steps above, use the user account to login the web app, you can get the access token with https://webappname.azurewebsites.net/.auth/me, then you can use the token to call the Storage REST API - GET Blob to access the things in the storage container.