We are leveraging Azure AD B2C Custom policies with our web application. When we do an important transaction on the app, even if the user is logged in, we would like to be able to verify that this is the correct user before committing the transaction. For instance, we could send a code to the user's phone and ask him to enter the code in the app (on the form he is executing the transaction).
Is this something achievable thru Azure AD B2C Custom policies ? MFA phone factor extension?
Yes, the Azure Multi-Factor Authentication Software Development Kit (SDK) can let you build two-step verification directly into transaction processes of applications in your Azure AD tenant.
For the details about the code sample, you could refer to here.
Note: This feature will no longer be supported until November 14, 2018.
Related
Azure/Intune newbie here.
We are planning to implement Intune in our org, and I have a question regarding user device log-in to Windows devices if Azure AD is Okta federated.
From the log-in/lock screen, do users use their Okta credentials to log in to their devices instantly without taking them to the company okta portal?
We are an Okta shop and wanted to use a single set of credentials for device logins and Okta SSO.
This is not yet implemented, so I am unsure how the device log in works.
If your organization is planning to use Intune for managing Windows devices and you have federated your Azure Active Directory tenant with Okta, it is possible to allow users to sign in to their Windows devices using their Okta credentials.
When users sign in to their Windows device, they will be presented with the Windows sign-in screen, which will prompt them to enter their credentials. If your organization has configured Windows Hello for Business or multi-factor authentication, users will be prompted to provide additional verification.
If you have set up federation between Azure AD and Okta using the Security Assertion Markup Language (SAML) protocol, the Okta sign-in page will not be shown to the user during the Windows sign-in process. Instead, the user's credentials will be validated by Okta behind the scenes, and the user will be signed in to their device directly. Which of course will take more effort to implement SAML (As I have experienced)
To enable this sign-in experience, you need to configure the Windows 10 device to use Azure AD for authentication. You can do this by joining the Windows device to Azure AD during the device setup process or by using the Azure AD join feature to join the device to Azure AD.
Once the device is joined to Azure AD, you can then deploy Intune policies to the device to manage its settings and applications. Additionally, you can also use Azure AD Conditional Access policies to control access to company resources based on factors such as the user's location, device compliance status, and authentication context.
Keep in mind that to use this sign-in experience, your users will need to have their Okta credentials synchronized to Azure AD using Azure AD Connect or another supported method. Additionally, you may need to configure the Azure AD and Okta federation settings to ensure that the authentication flow works correctly.
We plan to use Azure AD for our workforce users. We also have few applications for our customers. The sales team usually reaches out to a specific team who creates customer accounts to our current environment.
Few questions:
a. Is Azure AD B2C right to use for the customer applications? What I mean is should we use B2C only when the application is like a shopping application or something where we talk about huge number of users who self-registers and perform all activities.
b. We do not need self-registration, but we want our customers to verify and confirm their email address. How do we achieve that?
c. Does Azure AD B2C support accepting terms and conditions at the time of login? I know Azure AD conditional access policy does.
d. If an on-prem application supports OAuth 2.0, is there anything still need to be updated in the app to integrate with Azure AD B2C? Is the integration approach any different than Azure AD?
e. Can we have more than one application in one Azure AD B2C tenant? Can we have separate sign-up or sign-in flow for individual applications?
f. Is there a way to sync password from Azure AD B2C to a LDAP server? we want to use Azure AD B2C SSPR.
a) B2C is designed for any non-corporate application i.e. users are not domain-joined. The number of users doesn't matter.
For what follows, you need to use custom policies.
b) Yes, you can have a sign-up flow that simply asks for email and verifies it.
c) Yes, see here. There are a number of samples there. Well worth looking at.
d) It depends on what OAuth stack the on-premises app. uses. Ideally, the app. would use the MSAL stack. It's similar to Azure AD but there is an extra parameter for the policy.
e) Yes and yes.
f) Yes, you can call a REST API that talks to the LDAP server. However, the out of the box B2C SSPR resets the password in B2C. Not sure why you need LDAP? B2C does not support AAD Connect.
Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Administrative users of our application need to be able to invite additional users to the application.
I've found some articles that point, again, to using custom policies.
Thank you very much!
EDIT #1 -
Looking into using B2C & Microsoft Graph API I came across some decent, and recent, MS Resources:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations
And this important-to-me statement -> Microsoft January 28th, 2021:
"Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."
I'll update my post when I find a solution. Thanks again!
You need to use custom policies.
For first bullet point, see my sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
You could do either option. For option 1, AAD B2C can call your api which can call graph api to fetch groups. Then embed the info into the token. For option 2, you could write a role value to an extension attribute and return it in the token.
To invite users, you could use the invite sample. Essentially make an app that calls an API to generate these invite links and send those to the users email. The user clicks the link which allows them to complete their sign up.
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
I want to integrate Multi Factor Authentication (MFA) through Azure Active Directory (AD), I checked its documentation and some code samples, then I knew that Azure AD B2C have some of features which suits my requirement,
NOTE - I only need MFA feature from Azure AD B2C,
I tried this sample code provided in official docs, https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-spa
But I have some of queries:
1) Is there any service in Azure B2C, which can directly provide MFA facility to integrate, without need to register users in Azure AD?
2) In Azure B2C, can I control user flow with information of my website? So that email and phone number will be of my website during user flow. (I am asking about this because according to my plan I am going to integrate it after login process in my website)
3) There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
4) From where can I decide, which type of user will be registered? because the code which I have tried, doesn't mention about user type, (Actually I want to know that is there any param or option in user-flow, which can decide type of user, which will be registered through this flow)
Any help or suggestions will helpful for me,
Thanks in advance,
1. Is there any service in Azure B2C, which can directly provide MFA
facility to integrate, without need to register users in Azure AD?
Yes you can restrict new user to sign and sign up using MFA. For that need to enable MFA. Its global MFA for all.
See the screen shot below.
Note: You can also implement MFA for each individual user.
See the screen shot below for Individual MFA
Once you implement MFA you would be prompted to verify your phone
number like below
Note:
For Testing MFA Userflow need native application on application
drop down
See the screen shot below
2. In Azure B2C, can I control user flow with information of my
website? So that email and phone number will be of my website during
user flow. (I am asking about this because according to my plan I am
going to integrate it after login process in my website)
Yes you can customize your user flow. You can add new user flow according to yours.
To do that, Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C
Then In the left menu, select User flows, and then select New user flow
See the screen shot below:
3. There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
In short Work account has the more privileged in B2C tenant as the official document says. As consumer account cannot access some resource on portal. For accessing Microsoft Graph API Guest user has some restriction even on azure portal.
Note: As per your requirement I would suggest you to go with Work account which has some benefits while you would access Microsoft API
Though the account type mostly depend on your business needs but Work Account more useful comparing all aspect.
Let's say, If you want to add some user those who already registered some other organization but you need to add them in your particular application privilege. So need to add user as Guest privilege.
4. From where can I decide, which type of user will be registered?
Tough the question is bit confusing as I said earlier it would depend on your business needs. Work account usually best for tenant user. So when you feel within on your tenant if new user need to add so go with Work account. Once you specify your need it would definitely easier for you which kind of user you need to add. There is no such reference which can explain well upto to now.
Note: You could try adding all the user type to check how the user account behave using portal and accessing resources.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info