I have an Azure B2C service which serves to signing-up/signing-in users for my external apps (not hosted on Azure). The problem is that I have a few apps using this and I'd like to notify each of them when any user data change occurs in Active Directory (eg. email). Is there any functionality on Azure which could trigger some notifications to my apps about the change so the app could update its database?
Short answer is yes.
Long - probably too complex and definitely not within the scope of Azure AD B2C.
Can you live without this notification? Changing an e-mail address has no influence on core user data (unique identifier, oid claim). If you keep local user profile data in your application (which seems to be so), then you have to make sure you are referencing users by the oid claim you get from B2C and not by their e-mail addresses. Thus, any time a user signs-in you can check whether you have up to date info.
Do not forget, that changing e-mail address in Azure AD B2C is technically an execution of a B2C policy. Each execution of B2C policy ends with user being redirected somewhere (usually the application which triggered that policy) with a new token. A (relatively) simple solution would be to handle the callback of this authentication request (policy) and do what you want with it. For example have a notification service that would inform all applications about a change (think of EventGrid Topic where all your apps have a subscription to).
Related
We want to use Azure AD as the Identity Provider for users in a web application. At the moment, we have everything set up using MSAL.js 2.0 with the Auth Code Flow, a custom scope, and access token which is used to authenticate requests towards our various backend services.
The issue is that our users want to be able to login with their own custom email addresses, instead of their login ids generated by AD and with the #onmicrosoft.com domain. For example, user1#some-orginization.com or user2#some-other-organization.
It would still be okay to accept the login ids as usernames as well, but surely there must be a way to allow users to use another property of the profile (their alternate email for example) to log in.
Our application is registered to AD such that it will allow only logins from one tenant, since we don't want to require users to already have existing Microsoft Accounts.
We're avoiding B2C because some users would face issues with their company policies, which would mean they could be invited as users, but would be rejected at login. Also, B2C does not really support Roles like B2B does, which is somewhat important for us.
Any guidance will be greatly appreciated.
EDIT:
After countless hours of attempting to make this work, I decided that it just isn't worth the effort, and switched to Auth0. They provide everything I could possibly want, and seemingly even better Azure AD integration to other tenants then Azure AD itself.
I think what you want to express is that you want to log in to your application with any email (including personal accounts and social accounts).
If so, then you need to modify the application's manifest configuration and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
What I am trying to do is to automate the process of adding a new user to an Azure Active Directory of a tenant (the tenant is supplied as a parameter).
For this, I understood that I must use Azure AD B2B collaboration. The official sample for automating this process is provided by Microsoft at this link:
https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web
So, using the Invitation API (which is available here: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/invitation_post), I programatically send an invitation mail to an email that I want to register.
The problem is that the user which will be registered with that email, will be registered within the tenant in which the application was configured.
For example I am using the tenant name X, to configure my application in the Azure Active Directory Portal. What I see is that I can only invite emails to register within my tenant named X.
What if I want to register an email within another tenant, tenant which I know beforehand?
Can the invitation Api specify in which tenant I want to register an email, without having the application registered in that tenant?
Because if I can't, I would have to register the application in all the tenants, and then apply logic in the code to link the Client ID and Client Secret to the correct tenant.
If I have understood your question correctly, you need a multi-tenant app.
When you get an access token for Microsoft Graph API, it will always target a specific tenant.
In order to get an access token which targets another tenant, you must:
Make your app multi-tenant: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview
An admin from the other tenant must perform a sign up, which asks them for consent to the permissions your app requires
This usually means a redirect to the login page with prompt=admin_consent in the query
After they consent, a service principal will be created in their tenant, and they are redirected back to your app as usual
Now you can get an access token targeting their tenant and use it to call Graph API
one of our existing projects is running with a traditional authentication logic (having a user table in database). How the plan is to move the identity to AzureB2C with social IDPs integrated. But there are still some ares where we would need the reference of the existing user table. I need to find a way to map the logged in user from Azure B2C with the user table in database. I can read the email property from claims and try to map, but the challenge is user might have a different email for his social accounts. I know this actually defeats the purpose of the openId/oAuth to look back again in the user table after login. But this is a strange situation in running into. Any ideas how best this can be done ?
Copying response from: https://social.msdn.microsoft.com/Forums/en-US/221fce11-28ff-4236-a300-d6160ffc9379/azure-ad-b2c-how-to-map-the-user-logged-in-from-social-idp-to-a-local-user-table-?forum=WindowsAzureAD
Some facts are missing from your question so I will make assumptions which you can correct.
Assume that:
You do not use social IDPs today. So no existing connection between the social account and the local DB account.
This point is crucial because it is usually the user's prerogative (due to privacy) to make this link explicitly.
Assume that you will tell the user explicitly what you are doing as part of the transition.
To achieve this with b2c built-in policies you could:
1. Your app logs in the user the old fashioned way.(existing lookup DB)
2. Your app then invites users to register (in fact re-register) using a b2c signup policy which offers them social idp choices.
3. At the end of the b2c registration process, the user's email which was provided and proofed during the b2c signup and Object ID (newly created) is sent back to the App
4. The app uses the object ID and Graph to write the users existing id (old DB email or other unique user id you used today) to the new user's object in Azure AD B2C.
5. The app should note on the old DB that this user has been migrated so in the future the app does not present the option to re-register.
6. The app has to manage users in 2 different states.
Other alternative is to use custom policies and Account Linking
Here you could
1. Migrate all users into b2c using their old passwords. (assume you can get them from old DB in the clear) using Graph.
2. Point your app to b2c - users can login
3. Offer you users the option to link their b2c account to a social account. this requires custom policy and a policy path that is not public but its a simple sample we can provide.
iam currently researching how to implement Single Sign On for our WebService.
This is what i came up with so far.
If a customer of our WebService has an AzureActiveDirectory they can log on with their active directory user account to our WebService if we provide the nessecary interfaces for SAML, Oauth2, OpenID or whatever authorization protocoll we chose and azure supports.
The customers could also have their local network Active Directory synced to their Azure AD and use their Domain accounts to log on to our WebApplication.
Customers need to use the myapps.microsoft.com portal to "wrap" authentication.
Once everything is set up correctly the Identity Provider (AzureAD) would provide use with (e.g) an authenticated User Identity.
Here is were my problem begins.
Of course i need to somehow map the identity provided by the AzureAD to a certain Account for our WebService - we cannot simply use the provided identity.
As far as i understand it, you can grant AzureAD the right to create an Account on the target WebService in the name of the user which is currently signing in.
(Its called : enabling automatic user provisioning in the azure management portal).
However, when testing this with the Box, Canvas or Google apps i failed. Either i got an error or in the case of google apps i was just promted to login with my azure AD test account and then asked for a password and username of my google account (i set up SSO as an azure AD trust relation- so this should not happen)
Can someone provide some insights on how to accomplish the following?
Once the user is authenticated by SSO I want to create an account for our WebSerivce and then save the credentials for that user only in the Active directory of that particular user.
So if the user logs in the second time we can check wether there is an account already existing and log in the user with this account.
(I was told by microsoft that this might be possible with Azure Rights Management, but i cannot really find good documentation on that)
Storing the relationship: "Microsoft AD Identity <-> our WebServiceAccount Credentials" on our side is not desired because we cannot securly encrypt the data in a way that we DONT know whats in there. (or there is , and i dont know of it yet)
"Bonus Question":
Can i support SSO for a desktop application too? (Do i need a provide proxy web application or can the desktop app do this directly?)
Please see my answer to a similar question here: asp.net azure active directory user profile data
However - I'm trying to understand if you need something different. Are you expecting your customers to already have a directory and Azure AD accounts (maybe through having Office 365 subscriptions), and use those to sign in to your web app, or does your app scenario require creation/provisioning of user accounts into your customer's Azure AD directory? Provisioning can be done through graph API (as per your link), as long as the admin of your customer grants consent to allow your app to write to their directory. You can find some samples on github, and I recommend you look through https://msdn.microsoft.com/en-us/library/azure/dn499820.aspx and https://msdn.microsoft.com/en-us/library/azure/dn646737.aspx for code samples.
HTHs,
I think, without testing it. That using the Graph API enables me to save custom data for any Directory User effectively enabling my desired functionality.
This is the documentation i found very usefull.
https://msdn.microsoft.com/en-us/library/hh974476.aspx