Our App is a public facing app. For sign up and sign in, we set up AD B2C as it provides an easy tool out of the box. Consequently, Azure has created a different tenant where all users will be managed.
We also have setup a Blockchain app, which can be done only in AD tenant (not in AD B2C). Now, we would like users in B2C to interact with the blockchain API. This cannot be done as only users in AD are allowed.
Is there a way to link users in B2C to AD? Other solution?
Related
Per the docs, there is no 'out of the box' way to enable Azure AD B2C users to interact with the M365 environment associated with the Azure AD tenant that was used to create the Azure AD B2C tenant.
Azure AD B2C can't be used to authenticate users for Microsoft 365.
Source:
Can I use Azure AD B2C to provide social login (Facebook and Google+) into Microsoft 365?
But I still need to be able to provide this functionality, i.e GET and POST requests to M365 via the Graph API.
To be clear, this is what I have achieved so far:
Azure AD B2C users can login
Azure AD users can login and interact with their own M365 environment via Graph API
(to enable this, I added the Azure AD tenant as an identity provider, per this article)
What I have not yet been able to figure out is:
How can the Azure AD B2C users interact with the M365 environment associated with the Azure AD tenant?
(that created the Azure AD B2C tenant)
To illustrate a use case for this requirement:
Company_A wants to enable external contractors to be able to submit compliance documents to them
They set up Azure AD B2C and create accounts for their external contractors
They set up a Node.js/Express web app on Azure
External contractors can now login to a web app and view forms designed to submit data and attachments
How can those forms send data and attachments to a Document Library in Company_A's M365 environment?
I have been pondering this issue for a while and can't conceptualise a mental or technical model of how this can be achieved.
Google searching related phrases doesn't produce any relevant content.
I am hoping someone will have the knowledge and experience to be able to say:
You will need to follow THIS paradigm which is documented HERE and involves doing THIS
Edit:
I am reading articles like these:
Get access without a user
which talks about scenarios where:
apps that have a signed-in user present may also need to call Microsoft Graph under their own identity
and contemplating adding Application Permissions (as opposed to Delegated Permissions) to my Azure AD B2C application registration.
Just to test the idea, I have added Sites.ReadWrite.All as an Application Permission and granted Admin Consent for that permission. How would I define this scope (Sites.ReadWrite.All) to be associated with the 'home' Azure AD tenant (as opposed to the Azure AD B2C tenant)? I am using msal-node which has a method named getAuthCodeURL() where you pass through the scopes required. I am assuming if I just added Sites.ReadWrite.All it would default to being applied to the Azure AD B2C tenant, rather than the desired Azure AD tenant?
M365 doesn’t exist in an Azure AD B2C tenant, you cannot apply a license for Office there. This simply isn’t possible.
For Graph API, you cannot use B2C issued tokens to call it. You must use underlying AAD Tokens to access it. Your server would need to perform Azure AD client credentials flow against the Azure AD endpoint of your AAD B2C tenant and ask for a token to Graph API. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Microsoft service scopes only apply to the underlying Azure AD endpoints of your AAD B2C tenant. They won’t mean anything at the AAD B2C login endpoints. Hence, the differentiation is made by the endpoint used.
An Azure AD B2C tenant has both endpoints:
AAD: login.microsoftonline.com/tenantId
B2C: b2clogin.com/tenantId
Since M365 env does not exist for B2C tenants, the MS Graph API is only useful to R/W user data. But, for this, you could just use the B2C user flows to R/W user profile data, and return user profile data into the B2C token, so you don’t have go call MS Graph API. This is actually the intended usage pattern.
I'm usign custom policies in Azure.
How to make any new account created as a visitor account and not a member please.
Can someone explain the differences between Guest and Member? What are consequences when creating a user in B2C?
Can't find it in the docs.
we have a choice to create users only with
UserType=Member in Azure AD B2C.
UserType=Guest is a implementation detail of Azure AD B2B which is a
feature of regular Azure AD and it is not supported in Azure AD B2C.
B2c Is designed basically for EXTERNALLY facing apps which have own
app specific login credentials.
and so There is no concept of a GUEST user for a B2C tenant.
If one need GUEST user type of access for B2C users, then they would have to invite them separately to the main AzureAD tenant.
References:
B2C Portal Login, B2C Guest Users - Cloud Identity Architect
Use map UserType with Azure AD Connect cloud sync | Microsoft Docs
can an invited guest user signin using azure ad b2c
The documentation for Azure Active Directory B2C states ADConnect can’t be used to migrate users. I believe this is referring to the native store.
“No, Azure AD Connect is not designed to work with Azure AD B2C.”
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
But can I use ADConnect if I configure Azure Active Directory as an Identity Provider?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-azure-active-directory
If you setup sync to an Azure AD from on-prem AD with AAD Connect,
and then connect that AAD as an identity provider to B2C,
it will work.
Note you should use another Azure AD tenant for this, OT the one underneath the B2C tenant.
It also works quite nicely at least based on my short testing that if you have a single IdP in the sign-in policy, the B2C pages don't even show up.
Of course the first time, users will have to "sign up" to the B2C tenant with their AAD account.
Technically the sentence is correct that you can't migrate users to B2C with AAD Connect, but there is this roundabout way of doing it.
Technically the users are not migrated to B2C, but we migrate them to a place where they can be utilized from by B2C.
Our organization has a on premise Active directory.For few of our applications we want to implement authentication mechanism using Azure AD. Following is the requirement:
1) Organization users will be authenticated by Azure AD
2) External users will be authenticated by Azure AD B2C
3) Whenever an external user is trying to access the application, application will redirect the user to B2C login page.
Can anyone help me with steps for the solution?
Also, is there any issues to implement the security mechanism using Azure AD and B2C if the application resides in AWS?
For a specific sample of how to implement these custom policies, see Woodgrove Groceries demo, which enables users to sign in with either:
An "individual customer" account (i.e. a local account that is managed by Azure AD B2C or a Google or Microsoft account that is federated with it); or
A "business customer" account (i.e. an Azure AD account that is federated with Azure AD B2C); or
A "partner" account that is a direct federation between the end-user application and Azure AD (where Azure AD B2C doesn't act as an intermediate federation).
For your use case B2C custom policies are perfect fit. you can get start on custom policies from https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
1) Organization users will be authenticated by Azure AD
You can integrate this in custom policies. Example: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
2) External users will be authenticated by Azure AD B2C
Once you add custom policies those will allow you to login users from external network/ social IDPs
3) Whenever an external user is trying to access the application,
application will redirect the user to B2C login page.
It's all about configuration. If you configure properly it will take you to B2C login page. If you stuck while integrating drop comment here.
Also, is there any issues to implement the security mechanism using
Azure AD and B2C if the application resides in AWS?
I don't think you will face challenges. Cloud redirects will happen and works fine with B2C too.
Why does B2C "live" in its own Azure directory?
This seems to be the odd duck, no? Are there other Azure services this way? All of my other Azure resources live in the "default" directory.
It might help in understanding this by understanding the purpose of B2C. The idea here is to support a consumer facing application. For example, you might be building a consumer facing application and people all over the world might access it. You might want to outsource the security piece of that application to Azure AD.
Instead of integrating the application with your corporate Azure AD tenant, you can create a different AD directory, a B2C directory, that simply stores consumer identities. In this case, the B2C AD is completely separate from your corporate / main AD.
We all know that for one AAD tenant, it represents an organization. We can use AAD to manage users and resources for an organization. But for AAD B2C, it is just a service for authentication/authorization to all customers which relys application. It can integrate Soical accounts. AAD B2C cannot define those users belong to one organization.
However,AAD B2C still needs AAD to do authentication/authorization and manager users. In B2C, users are Local accounts or social accounts. In AAD, users are cloud accounts or on-premise synced accounts.
For example. If we use normal tenant also as a B2C tenant, the AAD authentication/authorization endpoint will be same. With this situation, we cannot distinguish the kind of users.It will result bad logic in product.
For distinguishing this two AAD, the B2C tenant must be separated.
Here is the clarify in official documentation:
Azure AD and Azure AD B2C are separate product offerings and cannot
coexist in the same tenant. An Azure AD tenant represents an
organization. An Azure AD B2C tenant represents a collection of
identities to be used with relying party applications. With custom
policies (in public preview), Azure AD B2C can federate to Azure AD
allowing authentication of employees in an organization.
Hope this helps!