I have registered one web api (TestAPI) in Azure AD B2C by setting Include web app/api and Allow implicit flow to 'YES', provided APP ID URI and added two new scopes for read and write.(By default user_impersonation scope got added)
Then in my existing Web Application while clicking for API ACCESS, I am not able to find out TEST API which I recently registered, in the Select API dropdown.
Please guide. Did I miss any steps in between.
Thanks in Advance!
To make the answer visible to others, I'm summarizing the answer shared in comment:
Change Directory to any other directory from top right corner
Comeback again to B2C
Check now API is visible or not
Related
So I'm using Power Automate to connect the API for Azure Cost Management Usage Specifically this guy:
https://learn.microsoft.com/en-us/rest/api/consumption/usage-details/list?tabs=HTTP
However, Powerautoamte, though it has an ADAuth with Oauth2 option, requires something called an "Audience?" and really I have no idea what to put here.
I have indeed registered an app, gave it the user-impresonation permission, approved it for my domain, and generated a client/secret for that app. All I need is the "Audience"
The Audience is the API which your AAD app has permissions on.
To find this URL, try to navigate to Azure AD and App Registration, then select your Application, and click on API Permissions.
Select API / Permissions name which should popup the permission details along with the used API.
For example my AAD app has Microsoft Graph permissions
If I select Microsoft Graph row or click on one of the permissions the popup shows details
The URL https://graph.microsoft.com/ represents the Audience in my case.
You are probably using Azure Service Management, so in your case the Audience will be https://management.azure.com/
I have only recently been tasked with writing some Business-type web applications, in the past many years I had mostly been working on SQL, services, and other non-client project -- so much of this is all new to me. I have had good success picking up and being productive with hosted Blazor WebAssembly. I need work through how to secure a Webassembly, so google lead me to:
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-5.0
While I was not very familiar with the Azure portal, the reference seemed quite detailed and I thought this would be straightforward. I tried walking through the steps to Register a server API app in an existing tenant:
Azure Active Directory > App Registrations, New Registrations -- check
Provide Name for the App -- check
Choose supported account types (accounts in this organizational directory) -- check
Leave Redirect URI options to web and don't specify a redirect URI -- check
Clear Permissions > Grant admin consent to openid and offline_access - NOPE, no option on this screen for this, I wonder if that setting has moved or if somehow I don't the permissions to see it.
Having no other choice to proceed, I select Register.
During a quick look, I could not find anything about openid and offline_access. Is it right under my nose, or no longer needed, is the documentation out of date, or is there an easier approach? I didn't proceed further, other than to tinker, to the client app registration as I felt the server registration was not valid. Are there any other bumps in the road on the client application registration as well?
Just for perspective, right now, I am content to just force a login verified against AAD.
Thanks for any help!
You are correct. There is no Permissions > Grant admin consent to openid and offline_access under normal AAD | App registrations.
But it indeed has this part under Azure AD B2C.
So I guess the document is not updated to synchronize with the Azure portal.
Don't worry about that. You can skip the step 5. After the Azure AD app is created successfully, you can assign and consent the openid and offline_access under Microsoft Graph permissions. Please note that don't forget to click on Grant admin consent for {your tenant}.
I am kind of confused about the integration process, so I hope to get some clearer guidance in my case.
Let say there is an existing web application(Angular + .Net Core) and I am working on the mobile version(Xamarin.Forms) for it. The web side and mobile side will share the same API backend for user authentication and other services.
So there is an existing tenant and related information (tenantName, tenantID, AppID, RedirectURL, policies, etc), and the redirectURL is for authorizing (https://.../authorize).
At first I thought I can directly used this information. I tried on the code sample and just replaced tenantName, tenantID ... When I clicked Log In button, it first showed me this error:
And then it directed me to the Sign In page. Finally, I signed in the web application in the simulator.
I feel like I should register the mobile app under the same tenant. If I want to help current web users log in the mobile version, how to integrate the existing Azure B2C properly with it for the authentication? Any hits would be appreciated. Thanks in advance.
Update:
I stayed stuck in the token part. I already enabled implicit grant. I used the sample code and add scope in the sample:
When you Register a web application, you should pay attention to the content after step 9.
Once the application registration is complete, enable the implicit
grant flow:
In the left menu, under Manage, select Authentication.
Under Implicit grant, select both the Access tokens and ID tokens
check boxes.
Select Save.
Select the Access tokens will give you the access token.
Ok finally get the access token in the AuthenticationResult. This is how I dealt with it.
After we define a scope, we need to configured permission.
Go to the registered application and add it to the configured permissions list:
After that I can see the accessToken in the result when I debug.
This is basically a follow up to my prev question - https://stackoverflow.com/a/44738654/2896495. I've implemented an Azure B2C sign up and auth in my web app (.NET Core 2.0) and now I want to add a custom sign up logic with Graph API (as described here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet).
But I'm confused about app registrations. For B2C auth I created an app in the Portal under Azure AD B2C -> Applications. Now, in order to use custom sign up logic I need another app registration under Portal -> App Registrations -> New Application Registration (where I can grant necessary permissions to Azure AD, like Read and Write directory data).
So, if I need auth AND custom sigh up, how should I set up my app? What's the right way of doing this?
For simplicity's sake, as well as a healthy separation of concerns, I would indeed make a separate app for the custom sign-up. It doesn't have to be a full-fledged app, a microservice that does the sign-ups for the main B2C app would be fine.
If you want to use the custom attribute to implement the custom sign up process, you need to register two apps as the document you mentioned in the post. One app is for integrating with Azure AD B2C for login, and the other is using the Azure AD Graph to query the custom attribute.
After that, you can using the Azure AD Graph REST to query the relative info and handle your own business logic in the web app. And to query the extension info, we just need to query the user info like below:
If you are just trying to have your own look and feel, as opposed to the default templates with your logos and other branding, then look into providing a template for UI customizations:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
Also, see this other answer to a similar question:
Azure AD B2C UI Customization
If you are trying for a whole different workflow, the you will want to create a custom policy.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Or if that does not work, then I guess you could just use the GraphApi, but that is the most laborious of options and completely destroys the entire purpose of using B2C in the first place. I do not recommend this approach.
Update:
I would not do everything you want to do in a custom policy. Separating the signup into it's own application/service would be a great approach (as #camsoper suggested), but only use the policies for the bare amount needed to create the initial account or authenticate an approved user. I've never used a policy to change the "accountActive" attribute, but I would be inclined to use the GraphApi to modify the user profile after the account is created by using the "NewAccount" attribute to key off. There is a "Block sign in" setting on a users profile in the azure portal which can be used to restrict access (and the signup application could set the default after the account is created), but I'm not sure if that corresponds to the "accountActive" attribute or not (yet).
Most of the administration you've described can be done in the azure portal, such as changing the "Block sign in" setting on a users profile can be used to restrict access (and the signup application could set the default after the account is created). If there is some capability that the portal does not offer, I would put that into a separate application. Avoid duplicating functionality in your customized admin app, and instead just redirect the admin to the users profile in "portal.azure.com".
https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/{objectId}
Note: there may be some issues with that URL template if the admin has access to more than one Directory for her account. It will try to pull up the directory that her account was created on by default.
I am trying out the sample code on GitHub called active-directory-b2c-dotnet-webapp-and-webapi and when I run it against the AD B2C directory in the sample it works fine but I'm having an issue trying it out against my own AD B2C directory. I get the following error:
The application with ID 'xxx' cannot get an ID token either because the openid scope was not requested or the application is not authorized for it
Isn't the openid scope included automatically? I setup a Web App and a Web API app as per the instructions provided. When I look at the scopes that the Web App has access to, the openid scope is not listed there. Is this something I need to add manually?
When we change the API permission for an app, the openid permission gets overwritten. We can re-enable it if this happens. The option will be available at API Permissions blade under https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.
Open the API Permissions at the above link, Add a Permission, Select Microsoft Graph --> Select Openid and save. There you are! :)
In addition to the openID step outlined above, also do the below:
Go to the API access under the Application in B2C for the app in question and add a permission against this same app saying "access this app on behalf of the signed in user".
No other steps needed.
I found the issue was with app registrations > API Permissions. When adding permissions in the Request API permissions screen, make sure you select "Delegated permissions: Your application needs to access the API as the signed-in user."
If you selected the other option, then recreate your configuration and try again.
openid scope is not included automatically. It should be present by default in the sample, but if it was removed, then the request will fail.