Azure AD is FedRAMP authorized on both Azure Government and Commercial Cloud. Does Azure AD B2C come under the same umbrella or its an independent service that need to be authorized?
Azure AD B2C is now officially FedRAMP High compliant in the public cloud.
https://learn.microsoft.com/en-us/azure/azure-government/compliance/azure-services-in-fedramp-auditscope
Changing this answer after receiving an update from the product group:
Azure AD B2C is not officially onboarded but is in the process of being onboarded and while we don’t have timelines, it is expected in the future.
Related
Do anyone know if we can use Privileged Identity Management in Azure AD B2C tenants?
I have tried to Google this without any success.
We would like to utilize PIM to have developers for example requesting access before creating Application Registrations and similar in the B2C tenants.
From Azure Portal, we have configured "Pricing tier = PremiumP2".
Still, within the B2C tenant in the PIM view, we get the message "The tenant needs an AAD Premium 2 license."
I tried to reproduce the same in my environment like below:
Note that: Azure AD B2C currently doesn't support Privileged Identity Management. Only Azure AD with Premium P2 license has PIM.
Alternatively, you can create custom policies to with specific rules:
Otherwise, make use of Identity Governance which provides security like below:
Reference:
Microsoft Entra Identity Governance documentation - Microsoft Entra
I am trying to use MFA for on-premise APPS that are secured by AD and ADFS. We are uing MIM to provision accounts automatically to AD. However all accounts will not be synchronized to Azure AD. I have read following article
https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/use-azure-mfa-for-activation
Does it mean you can use Azure AD MFA withing MIM for on-premise Apps which are secured by ADFS? does it go to Azure AD to challenge the user for MFA? what about if the account exist only in AD not Azure AD?
Appreciate all kind of advice.
The article you cited above is only applicable to the use of Azure AD MFA within MIM for the privileged access management scenario, rather than for MFA for use within applications. I would recommend synchronizing accounts to Azure AD, and using conditional access and the application proxy where applicable. See https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion for more info on the options for applications.
I’d like to use scopes in our Azure B2C instance, however all our resources are residing in a different active directory. Can I somehow also select the API instance from another Resource? Or is it possible to upgrade our main AD to an Azure B2C one? Or can we somehow move our subscription and all resources to our Azure B2C AD?
At this point in time, Azure AD B2C does not support multi-tenancy. You can vote and keep track of the feature in the Azure AD B2C UserVoice forum:
How to use Multitenant Applications Based on B2C
Without multitenancy, you will not be able to access resources from other tenants. It is also not possible to upgrade your main AD to an Azure AD B2C tenant, or have subscriptions within your Azure AD B2C Tenant.
Not entirely sure what your scenario is, but the recommended way to do this is by adding Azure AD as an identity provider. This currently can be done using custom policies, but I would encourage waiting until the feature is available through built-in policies.
I am working on a project to migrate the Consumer faced application to the cloud.
Based on the pricing I prefer to use the Azure AD B2C tenant.
Tentative timeline for the Azure AD B2C GA ?
How can I sync/move the user object from On-premises AD to the Azure AD B2C tenant? Can we use Azure AD connect for this?
As stated in this FAQ,
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
No, Azure AD Connect is not designed to work with Azure AD B2C. We
will provide various migration options and tools out-of-the-box in the
future.
With the (beta) MSAL library (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet), you can add both B2C and your existing AD to your website, so both worlds (external customers in B2C and corporate users in AD) can login to the same site.
from: https://blogs.technet.microsoft.com/enterprisemobility/2016/03/31/microsoft-identity-at-build-2016/
MSAL is a developer library that helps you to obtain tokens from MSA, Azure AD or Azure B2C for accessing protected resources – such as your own API, Microsoft’s API (such as the Microsoft Graph) and any other 3rd party choosing to protect their API with Microsoft identity.
Could you please define cloud based authentication services Azure AD B2C and B2B with it's uses and their differences if any. Please provide list of web resources if you can.
The uses of Azure AD B2C (Business to Consumer) and Azure AD B2B (Business to Business) are very different. These differences are highlighted in the documentation.
B2C documentation: https://azure.microsoft.com/en-in/services/active-directory-b2c/
Azure Active Directory B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.
In a nutshell, it allows you to authenticate customers using social identities, like Facebook or Microsoft Account, but still within the context of Azure AD.
B2B documentation: https://azure.microsoft.com/en-in/documentation/articles/active-directory-b2b-collaboration-overview/
Azure AD B2B collaboration lets you enable access to your corporate applications from partner-managed identities. You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources.
In a nutshell, it allows you to authenticate corporate users from other companies.
So one is for consumer-facing applications, and one is for business applications.
https://predica.pl/blog/azure-ad-b2b-b2c-puzzled-out/
Azure AD is an identity as a service provider aimed at organization users to provide and control access to cloud resources
Azure AD B2B is not a separate service but a feature in Azure AD. It allows cross-organization collaboration in applications from an identity standpoint.
Azure AD B2C is an independent service for building a consumer application identity repository. If you need a service to handle email or Facebook login – it is there for you.
https://learn.microsoft.com/en-us/azure/active-directory/b2b/compare-with-b2c
B2B collaboration capabilities
Single sign-on (SSO) to all Azure AD-connected apps is supported. For example, you can provide access to Office 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.
Partner lifecycle: Managed by the host/inviting organization.
Azure AD B2C stand-alone offering
SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Office 365 or to other Microsoft and non-Microsoft SaaS apps is not supported.
Customer lifecycle: Self-serve or managed by the application.