Azure AD B2C reply url to wildcard URL - azure-ad-b2c

I am using Azure 'B2C', and users are creating successfully in B2C. And I am using dynamic web apps. ie, there is number of web apps are present.
sssss01.example.com
sss2.example.com
wwwss2.example.com........
When a user want to login using B2C, it's successfully login, but it reply url is not correct. I checked in azure, B2C app not supporting wildcard(*). So Is there any option to add wildcard, or any other method to manage pragmatically ?
Sign in reply url is different for different web apps.

Wildcard redirect URLs are not supported in OAuth2. See: why are redirect URLs fully qualified.
Unfortunately, we can't manage B2C programmatically.
You can upvote this item on User Voice and subscribe to stay updated: https://feedback.azure.com/forums/169401-azure-active-directory
Others have suggested this same feature but the User Voice forum appears to be down right now.

Related

How to integrate the o365/m365 oauth flow with my slack app

I'm writing an app which will allow me to get specific data from outlook/exchange using the EWS on behalf of a slack/outlook/exchange user. to authenticate via Microsoft’s oauth flow I created a azure a client_id and would like to initiate the oauth flow for m265 from the apps Home Screen. In order to create the client I’d I also need to provide a redirect url within azure ad.
Where can I find documentation on how to best use external oauth flows? (This is not about installing/authorizing the app within slack).
I’d like to add a "connect to outlook" button on my apps home page after installing from which to start the flow.
Shall I call the Microsoft login (oauth) url directly or should I first link to my apps web server?
When calling the microsoft login I need to provide a redirect url (which needs to match the one in azure ad) to which the authorization codes gets returned.
For some apps (e.g. outlook calendar for slack) this seems be a slack url.
servicenow seems to use something like…
https://slack.com/interop-apps/servicenow/snow_oauth_redirect
Is there a way to define such an url for my app within slack?
How will the authorization code be handed over to my app (I assume to the Request url I defined for my app…?
Thank you for time and consideration..
• I am considering here that you are providing authentication for your application through Azure AD, thus, to configure redirect URIs after authorization code or token is received post successful authentication, please refer the below documentation on redirect URIs. It specifies in detail the configuration restrictions that should be followed while configuring a redirect URL in Azure AD: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
Similarly, to configure a redirect URL for an application in Slack, please check the callback URL settings configured because it is required while redirect URL is an optional thing. Also, Slack will redirect the users to the callback URL itself configured in app settings if redirect URL is absent. And if provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL. Please follow the below link for more information: -
https://api.slack.com/legacy/oauth
In the above URL, go to ‘Using access tokens’ and ‘Redirect URLs’ section for exact information.
• And as far as calling the Microsoft login (OAuth)URL directly or linking it to your app’s web server, I would suggest you provision your Azure AD users in Slack by following the below documentation link or configure SSO with Slack by adding it in Enterprise Applications in Azure AD from application gallery and then configure the API permissions required for accessing the data from Exchange through EWS. In this way, proper configuration and redirection can be achieved for the users which are allowed to access the specific data from Exchange.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-tutorial
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-provisioning-tutorial

Azure B2B application redirection to web app after login from the Invitation

We are implementing an Azure B2B application that was given in the GitHub sample
https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web,
which was working as expected. After the redemption from the mail, the user was redirected to the b2b application(profile page), but we want to redirect to another web app(azure ad application) with Microsoft identity.
I tried to changes the redirect URLs of the b2b applications (Admin app and B2b pre-auth app) as mentioned in the above solution.
Can anyone suggest, how to achieve the same.
In the B2B sample application, I see the inviteRedirectUrl (profile URL) in two places, where profile URL is mentioned in the code. Did you change in both the places?
SiteConfig.cs
PreApprovalController.cs

Custom URL for Azure AD B2C signup and signin pages

I'm working on integrating Azure Active directory B2C for sign-up and sign-in process. By default, when a user clicks the login button, it has to redirect the user to a different domain (microsoftonline.com) such that the URL for sign-up and sign-in page is in the following format:
https://login.microsoftonline.com/te/tenant-name.onmicrosoft.com/b2c_1_signupsignin1/oauth2/v2.0/authorize.......
However, I think this is a bad user experience for users redirecting them to other domain for signing in.
So I'd like to use my own domain (e.g. example.com) so that the URL should be like below.
https://login.example.com/te/tenant-name.onmicrosoft.com/b2c_1_signupsignin1/oauth2/v2.0/authorize.......
I've done some research on Azure documentation and found out that it does not currently support setting up the custom URL for sign-up and sign-in page.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
However, the case study from Azure B2C mentioned that the Real Madrid offical home page also uses Azure AD B2C for user management (https://customers.microsoft.com/en-ca/story/real-madrid).
However, the domain in the URL for sign-in page is not microsoftonline.com but their own domain, realmadrid.com, like below
https://pro.login.realmadrid.com/rmglndpdaadfans.onmicrosoft.com/oauth2/authorize?p=B2C_1_SignInSignUpWeb&client_id=8a943960-87f9-4e22-bc2a-40099d584719&redirect_uri=http%3A%2F%2Fwww.realmadrid.com%2Fcs%2FSatellite%3Fpagename%3DRealMadridResponsive%2FPage%2FRM_IDPRespuesta&resource=https%3A%2F%2Frmglndpdaadfans.onmicrosoft.com%2Fwebapi&response_mode=fragment&response_type=token+id_token&scope=openid&nonce=defaultNonce&idpmode=0&lang=en&_ga=2.211460117.1443111640.1554916216-543571806.1554916216
I've checked the following pages but none of them helped..
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/B2C-with-custom-login-URL/td-p/44040
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
So how can I achieve this as Real Madrid home page did with Azure AD B2C?
Currently, you are able to use the your-tenant-name.b2clogin.com domain (recommended) or the login.microsoftonline.com domain, latter of which is being deprecated.
Work for support of customer-owned domains has been started.
The capability to use a custom domain for your B2C tenant is now available in public preview
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow

Skipping the Home Realm Discovery Page or microsoft sign-in page in Azure AD Enterprise application

I registered one existing .NET application in Azure AD enterprise application for SSO. When i access this application using external URL, it prompts me for Microsoft Sign-in. Is there a way to avoid Microsoft Sign-in page? In few online article, i found to pass "domain_hint" in sign-in URL. Let me know if there is as way to setup domain hint in sign-in URL while registering enterprise app.
You can enable true single sign-on through the process highlighted in this Microsoft document (published one week ago). You can use a domain-joined device so that the users can sign on silently and do not need to enter a username and password. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Please see the quick start guide as well. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
The way you make use of Domain_Hint will depend on a few details about your application -
What protocol you use to talk to your Azure AD?
Depending on the protocol, you'll need to pass the domain hint in the sign in URL for your application as shown below:
WS-Federation: whr=contoso.com in the query string.
SAML: Either a SAML authentication request that contains a domain
hint or a query string whr=contoso.com.
Open ID Connect: A query string domain_hint=contoso.com.
Whether your application is single-tenant or multi-tenant?
If it's single tenant, then it's simple - pass the domain hint for domain of one tenant that uses this application.
If it's multi tenant, then it needs to be conditional and you need to know the tenant before hand so you can pass the hint correctly to sign-in URL. For example, if the URL hit by each tenant is different, then that could help you.. Look at this part in the Microsoft documentation..
For example, the application "largeapp.com" might enable their
customers to access the application at a custom URL
"contoso.largeapp.com." The app might also include a domain hint to
contoso.com in the authentication request.
Here are the 2 best Microsoft documentation Links on this topic that I came across:
Domain Hints
Using Azure AD to land users on their custom login page from within your app

Create azure B2C which can reply to wildcard URL

In our project we are using B2C where the front-end is hosted on a webapp and gets the token and the backend is hosted on an API app and validates the token.
When developing we deploy the front-end and backend as needed, often with multiple copies for multiple developers.
The problem is that the B2C app registration requires to add the reply URL manually. Our development domains are generally under https://XXX###.azurewebsites.net. where XXX is a common prefix and ### is some number.
Is there a way to either define the reply URL programmatically (i.e. add it and remove it as we deploy/remove the instance) or to support wildcard reply URLs?
If the above is not possible is there a way to programmatically register a new application with a copy of all configurations of an existing one except the reply URL?
Wildcard redirect URLs are not supported in OAuth2. See this post: why are redirect URLs fully qualified.
And, unfortunately, we can't manage B2C programmatically.
UserVoice item: Programmatically manage B2C policies

Resources