I'm using this sample as a starting point: https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/
But instead of calling an existing API I'm trying to call graph.
The actual issue I'm running into is that when I go to reference any API/APP in my B2C app there are no options under 'Select API'
What I am trying to reference is a AD App I created that has access to Graph.
I tried a number of the suggestions listed here: Azure AD Application not appearing in existing AD App list for an Azure web application
Including adding myself as the owner of the AD App, but I can't make it appear in AD B2C.
I've also tried signin in and out and I've tried a couple different browsers just in case.
My B2C tenant isn't linked to a subscription so that could be the issue but I'm not sure why since both my AD B2C and my AD App live in the same tenant.
Access can only be granted from one Azure AD B2C-registered application, i.e. the client application, to another Azure AD B2C-registered application, i.e. the resource application.
The Graph API is not an Azure AD B2C-registered application.
Alternatively, you'll either have to implement a backend for the frontend, where it's the backend application that integrates with the Graph API or implement a custom policy that interacts with it.
If you want to call you need to register an application in azure ad tenant. And azure b2c cannot find the application which has graph api permissions. Because it is not in your b2c tenant. Regarding how to call graph api, please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Related
I'm new to Azure AD B2C so I'm not fully certain of its capabilities. Either way, I'm trying to limit the access to one of my registered applications to users from the same AD B2C tenant (single-tenant scenario). The only way I was able to do this was through the App registrations (Preview), the Legacy Application registration doesn't seem to support this.
Once I set the single-tenant option, the application starts to appear under the Owned Applications tab on the App registrations (Preview) blade but I cannot make use of it. Whenever I try to run a default or custom flow I get this error:
The provided application with ID 'XXXXXX-XXX-XXXX-XXXX-XXXXXX' is not
valid against this service. Please use an application created via the
B2C portal and try again.
I also tried to set the multi-tenant scenario (AzureADMultipleOrgs) but I still get the same error. The only way I can make this work is by using the AzureADandPersonalMicrosoftAccount which leaves the app open to everyone and that's not what I need.
Am I missing an extra configuration or is this still not supported?
Thanks!
You need to use the B2C specific Application Registration option for it to be compatible with Azure AD B2C User Flows or Custom Policies. If you then need to further restrict the user base who should be able to login to the application, then you would need to implement some RBAC, see this sample:https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac
In AAD B2C, the Application Role assignment and Application Assignment is not honored, these are Azure AD concepts that are not respected by Azure AD B2C auth policies.
I am using Custom Policies on Azure B2C.
When I want to run the Custom Policy I can choose the application which I want to use with the policy. I saw that I'm not only able to use my applications from Azure B2C, I can use the applications from the App Registration section.
What is the differences. I've been able to signup and sign in users with both types of applications.
Thanks in advance!
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration in Azure Active directory.Also, the apps in the Application Registration should not be visible in the B2C .
In your issue , I assume that you should have add two apps in the two places.
What is the differences.
Application in Azure AD B2C :To build an application that accepts consumer sign-up and sign-in, you first need to register the application with an Azure Active Directory B2C tenant.
Application Registration in Azure AD: This creates an Application ID for the application, and enables it to receive tokens. In order to get a client ID and secret from Azure, you have to register the app and provide some basic information about it, including what resources your app wants to access, and what permissions it needs.
Depending on your scenario, you could register an application in both portals, and use the right one depending on the request you need to make.
The apps that are registered through each different location (Azure Active AD versus Azure AD B2C) are given credentials that are valid for any policy, including custom policies you have uploaded.
The end result is the same: you have an application that is registered with and can access the policy regardless of how that app/policy was created.
I don’t really understand the difference between Azure AD B2C Application and Azure App Registration Application.
I can see some of my Azure AD B2C applications in the Azure App Registration page, but the opposite is not true.
The good part of Azure App Registration is that you can request the Graph API if you have the right permissions and it’s not true for an Azure AD B2C Application.
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
But it seems to be not possible to be authenticated with Azure AD B2C with an Azure App Registration application.
Do you know if there is a possibly to have all-in-one ? An application which can authorize AAD B2C authentication and request the Graph API.
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration portal (ARP). The only app that may be visible is the 'b2c-extensions-app', which is a system application that B2C uses to store information about users. Likewise, the apps in the ARP portal should not be visible in the B2C portal.
Unfortunately it is not possible to have an "all-in-one" app at the moment. You should vote for the feature here.
Depending on your scenario, you could register an application in both the portals, and use the right one depending on the request you need to make.
1) Currently it is not possible to use the same app registration for both Microsoft Graph API and Azure AD B2C.
a. Azure AD B2C Apps must be registered using the Azure AD B2C blade in the Azure portal.
b. Graph API applications can be registered either at https://apps.dev.microsoft.com/ or by creating an application in your Azure Active Directory tenant (but not under the Azure AD B2C blade).
2) Graph API currently does not accept tokens issued by Azure AD B2C. This means you may need a separate micro-service that will authenticate with Microsoft Graph using the ClientId / ClientSecret of your Graph API Application Registration. The instructions in the documentation will have you configure “create, read and update permissions” for your Graph API app registration. (https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
I have what seems on the face of it a simple requirement when using Azure AD B2C. I have two applications (App A and App B) registered in Azure AD B2C. I want to restrict access so that User 1 can access both App A and App B, but User 2 should only be able to access App A.
I can register appRoleAssignments and assign them to a user via the Azure AD Graph API with a zero id as per this question When a user logs in, I can then query these and restrict access myself, but it feels like I'm reinventing the wheel and this should be provided by B2C.
Is this something Azure AD B2C is able to provide out of the box?
Azure AD B2C does not currently have first class support for application assignments.
As you've indicated, you'll need to implement this yourself.
You can request this feature in the Azure AD B2C Feedback Forum
I think the way you are doing it is the correct way, eventually Azure B2C will support role and group claims and this extra step wont be needed.
I have created a WebApi app which can create a user on Azure AD B2C tenant using Graph API.
Now the user has to authenticate on Azure AD B2C as the same way I have used like Graph API. I mean a programmatic approach to sign in instead of Microsoft login page. Is it possible to authenticate against Azure AD B2C using Graph API? If yes can you please suggest me the way to do it.
It is not possible to authenticate an user in azure AD using graph API. Graph API provides methods to various AD related operations on the users, signed on user, groups, directory roles, policies and so on. https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
You can programmatically authenticate users against Azure AD using a certain call but MS refuses to officially support the method in libraries, despite it existing for over 4 years.
For node, the denied pull request is here: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/pull/99?_pjax=%23js-repo-pjax-container
The code repo referenced in the pull is here: https://github.com/testdouble/azure-activedirectory-library-for-nodejs/tree/client_secret_optional