I am a bit confused by the wording on the announcement for the deprecation of login.microsoftonline.com for "B2C tenants".
New tenants created after this announcement will no longer be able to accept requests from login.microsoftonline.com.
My main concern is: How will this affect the client credentials grant? As far as I can see, this is only supported via login.microsoftonline.com.
Although client credential flow is not currently supported by Azure AD B2C, you can set up client credential flow using Azure AD. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants. The client credential flow is supported using the Azure AD functionality of the Azure AD B2C tenant.
Will the "Azure AD functionality" continue to work with login.microsoftonline.com indefinitely? If so, where can I draw the line of what this actually means?
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
My current understanding would be that "everything that uses B2C policies must use b2clogin.com" - everything else must continue to use login.microsoftonline.com.
Without policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => 404
With policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
(my tenant is not actually named mytesttenant)
I think you will still be able to use client credentials flow in Azure AD B2C tenant.
The deprecation of login.microsoftonline.com just affects the Azure AD B2C functionality.
However, the client credentials flow is an Azure AD functionality, it should not be affected, the B2C tenant just shares the functionality with the normal Azure AD tenant.
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
I suppose we can but we should not do this, as the UI has been changed, MS should not want the new users(create B2C tenant after the announcement) of Azure B2C to use login.microsoftonline.com, the implementation has not been changed, it will give other users a transition period.
I got an official answer back via Github.
Use of b2clogin.com is enforced for b2c functionality only. Client Credentials flow is not supported for B2C Applications. Since the App registered via App Registration under Azure AD B2C, can also be used for standard Azure AD as well which supports Client Credentials flow. For standard AAD functionality, use of b2clogin.com is not applicable and requires login.microsoftonline.com only.
For more details, refer to: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps#daemonsserver-side-applications
Related
Per the docs, there is no 'out of the box' way to enable Azure AD B2C users to interact with the M365 environment associated with the Azure AD tenant that was used to create the Azure AD B2C tenant.
Azure AD B2C can't be used to authenticate users for Microsoft 365.
Source:
Can I use Azure AD B2C to provide social login (Facebook and Google+) into Microsoft 365?
But I still need to be able to provide this functionality, i.e GET and POST requests to M365 via the Graph API.
To be clear, this is what I have achieved so far:
Azure AD B2C users can login
Azure AD users can login and interact with their own M365 environment via Graph API
(to enable this, I added the Azure AD tenant as an identity provider, per this article)
What I have not yet been able to figure out is:
How can the Azure AD B2C users interact with the M365 environment associated with the Azure AD tenant?
(that created the Azure AD B2C tenant)
To illustrate a use case for this requirement:
Company_A wants to enable external contractors to be able to submit compliance documents to them
They set up Azure AD B2C and create accounts for their external contractors
They set up a Node.js/Express web app on Azure
External contractors can now login to a web app and view forms designed to submit data and attachments
How can those forms send data and attachments to a Document Library in Company_A's M365 environment?
I have been pondering this issue for a while and can't conceptualise a mental or technical model of how this can be achieved.
Google searching related phrases doesn't produce any relevant content.
I am hoping someone will have the knowledge and experience to be able to say:
You will need to follow THIS paradigm which is documented HERE and involves doing THIS
Edit:
I am reading articles like these:
Get access without a user
which talks about scenarios where:
apps that have a signed-in user present may also need to call Microsoft Graph under their own identity
and contemplating adding Application Permissions (as opposed to Delegated Permissions) to my Azure AD B2C application registration.
Just to test the idea, I have added Sites.ReadWrite.All as an Application Permission and granted Admin Consent for that permission. How would I define this scope (Sites.ReadWrite.All) to be associated with the 'home' Azure AD tenant (as opposed to the Azure AD B2C tenant)? I am using msal-node which has a method named getAuthCodeURL() where you pass through the scopes required. I am assuming if I just added Sites.ReadWrite.All it would default to being applied to the Azure AD B2C tenant, rather than the desired Azure AD tenant?
M365 doesn’t exist in an Azure AD B2C tenant, you cannot apply a license for Office there. This simply isn’t possible.
For Graph API, you cannot use B2C issued tokens to call it. You must use underlying AAD Tokens to access it. Your server would need to perform Azure AD client credentials flow against the Azure AD endpoint of your AAD B2C tenant and ask for a token to Graph API. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Microsoft service scopes only apply to the underlying Azure AD endpoints of your AAD B2C tenant. They won’t mean anything at the AAD B2C login endpoints. Hence, the differentiation is made by the endpoint used.
An Azure AD B2C tenant has both endpoints:
AAD: login.microsoftonline.com/tenantId
B2C: b2clogin.com/tenantId
Since M365 env does not exist for B2C tenants, the MS Graph API is only useful to R/W user data. But, for this, you could just use the B2C user flows to R/W user profile data, and return user profile data into the B2C token, so you don’t have go call MS Graph API. This is actually the intended usage pattern.
I configured a new Azure AD B2C Tenant for testing purposes. I am trying to follow the example to use Azure AD B2C with Android.
https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth
I created beside the B2C Tenant already a User Flow for the login.
During the authentication flow the app wants to read the "well known openid configuration" for my User Flow
https://login.microsoftonline.com/geomobilestage.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_login_signin
but the URL returns a 404 error. But when I try the following URL to read the configuration I receive http status 200
https://geomobilestage.b2clogin.com/geomobilestage.onmicrosoft.com/B2C_1_login_signin/v2.0/.well-known/openid-configuration
The URLs are public so everyone can try to call them in the browser to see the result.
So the configuration itself exists and seems to be ok. I have already another Azure AD B2C tenant and when I try to call the first URL for this tenant everything is fine. It seems to be that I am missing some configuration in the Azure portal but I really have no idea what I am missing and even where to look.
Regards
Michael
For Azure AD, see here:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
For Azure AD B2C, see here:
https://{domain-name}.b2clogin.com/{domain-name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
The key thing here is to realize that the b2c config endpoint has a reference to a policy in it, otherwise it’s likely AAD.
Some of the applications registered in my Azure AD B2C directory display this message on their overview page:
You can use this application to authenticate against Azure Active Directory, but not Azure AD B2C
Many others do not.
Since my code will rely on B2C authentication using client ID's from these registrations I need to know whether I can "fix" these application registrations or whether I need to create new ones.
What's the difference between these applications? Is it the way in which they were created, or is it setting(s) that can be adjusted to permit B2C authentication?
Clicking on the message itself only links to the Azure B2C overview page, which is not very specific help.
To test the concept, I'm using msal 1.1.3 and a simple client side configuration. But as this message appears on the azure portal dashboard I don't think that's at issue:
const msalConfig = {
auth: {
clientId: `${MyClientId}`,
authority: `${MyAuthorityURL}`,
redirectURI: `${MyRedirect}`
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: true
}
};
const msalApplication = new Msal.UserAgentApplication(msalConfig);
B2C does not support Daemons/server-side applications, Web API chains (on-behalf-of flow), or faulted apps (i.e. apps edited on other application portals such as the application registration portal; apps edited via Graph API; or apps edited via Powershell). Was the app ever edited in one of these places? If that is the case you will need to delete and recreate the application. This document describes the kinds of apps supported and not supported within B2C.
Also, of course make sure that the application is registered in b2c and not just in the regular AAD. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications
Since the message in the screenshot does not appear to be documented I have reached out to the product team to ask for a more detailed explanation of that message and its context. I will update this thread as soon as I have that.
Since my code will rely on B2C authentication using client ID's from
these registrations I need to know whether I can "fix" these
application registrations or whether I need to create new ones.
You need to create new applications under Azure AD B2C.
If you created the application under Azure Active Directory and open it under Azure AD B2C, you will see that warning.
What's the difference between these applications? Is it the way in
which they were created, or is it setting(s) that can be adjusted to
permit B2C authentication?
One is used for Azure AD, and the other one is used for Azure AD B2C. Yes, it is in the way they were created.
I have answered this question here - microsoft graph rest api beta: application created by api in azure ad b2c is not valid
For an application to successfully work in AAD B2C(get a token), it has following requirements
It needs to have a service principal
Consent to openid and offline_access scope on Microsoft Graph service principal in the tenant
Azure Active Directory does not have these requirements but Azure Active Directory B2C does.
The reason is that consent experience cannot be shown to the enduser in Azure Active Directory B2C while in Azure Active Directory, it is shown to the user.
The documentation for Azure Active Directory B2C states ADConnect can’t be used to migrate users. I believe this is referring to the native store.
“No, Azure AD Connect is not designed to work with Azure AD B2C.”
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
But can I use ADConnect if I configure Azure Active Directory as an Identity Provider?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-azure-active-directory
If you setup sync to an Azure AD from on-prem AD with AAD Connect,
and then connect that AAD as an identity provider to B2C,
it will work.
Note you should use another Azure AD tenant for this, OT the one underneath the B2C tenant.
It also works quite nicely at least based on my short testing that if you have a single IdP in the sign-in policy, the B2C pages don't even show up.
Of course the first time, users will have to "sign up" to the B2C tenant with their AAD account.
Technically the sentence is correct that you can't migrate users to B2C with AAD Connect, but there is this roundabout way of doing it.
Technically the users are not migrated to B2C, but we migrate them to a place where they can be utilized from by B2C.
How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.