we currently work on site that uses Azure B2C authentication for "normal" public users. The site has an admin backend that need "admin" users login. How do you do that? In azure B2C we can't have groups to identify which is an Admin. Can I use custom attributes like Admin-Boolean and set it to true in the Azure users portal? It is secure enough?
Unfortunately there is no easy solution here IMO.
Yes, you can use custom attributes to solve this problem.
You can set those custom attribute(s) via the Azure AD Graph API.
Then in your app you have to check those custom attribute(s).
The first problem with that solution is there has to be an account created to set those claims on. Depending upon your app this could be an inconvenience or pain point.
You can also set those attribute(s) on sign-up but that requires custom policies which is a whole nother animal IMO
Related
I am migrating an existing app using ASP.NET Identity to Azure B2C.
I wanted to migrate the existing user details to Azure AD, when user enter the credential in the Azure b2c login. Is there any way to call custom API on click of the Azure login button? If that is possible, I will call an API which will migrate the data to Azure AD.
I can't do one time migration from existing Identity to Azure B2C as we don't get the password as plain text from the database.
Please advice
This is possible with custom policies.
There is a sample for this particular scenario as well: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-migration#seamless-migration.
Custom policies do have quite a big learning curve, so this option might require a lot of work from you.
The other option is that you add all users in bulk and require everyone to do a password reset.
This is easier to do for you but will require some work from each user.
We want to use Azure AD as the Identity Provider for users in a web application. At the moment, we have everything set up using MSAL.js 2.0 with the Auth Code Flow, a custom scope, and access token which is used to authenticate requests towards our various backend services.
The issue is that our users want to be able to login with their own custom email addresses, instead of their login ids generated by AD and with the #onmicrosoft.com domain. For example, user1#some-orginization.com or user2#some-other-organization.
It would still be okay to accept the login ids as usernames as well, but surely there must be a way to allow users to use another property of the profile (their alternate email for example) to log in.
Our application is registered to AD such that it will allow only logins from one tenant, since we don't want to require users to already have existing Microsoft Accounts.
We're avoiding B2C because some users would face issues with their company policies, which would mean they could be invited as users, but would be rejected at login. Also, B2C does not really support Roles like B2B does, which is somewhat important for us.
Any guidance will be greatly appreciated.
EDIT:
After countless hours of attempting to make this work, I decided that it just isn't worth the effort, and switched to Auth0. They provide everything I could possibly want, and seemingly even better Azure AD integration to other tenants then Azure AD itself.
I think what you want to express is that you want to log in to your application with any email (including personal accounts and social accounts).
If so, then you need to modify the application's manifest configuration and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Azure AD B2C let you set up just one Facebook login. But what happens when you want to connect to the same b2c directory more than one web app. Facebook forces you to insert logo and policy.
If I have two web apps, I would need to have the chance to setup 2 different facebook logins with different policy and logo. I can do on facebook developer, but seems azure b2c supports just one.
is there a way to achieve that? Maybe using open id account?
Thanks.
You would need to add it as a custom OIDC provider. Or otherwise use custom policies where you can define as many as you like.
I'm new to Azure AD B2C so I'm not fully certain of its capabilities. Either way, I'm trying to limit the access to one of my registered applications to users from the same AD B2C tenant (single-tenant scenario). The only way I was able to do this was through the App registrations (Preview), the Legacy Application registration doesn't seem to support this.
Once I set the single-tenant option, the application starts to appear under the Owned Applications tab on the App registrations (Preview) blade but I cannot make use of it. Whenever I try to run a default or custom flow I get this error:
The provided application with ID 'XXXXXX-XXX-XXXX-XXXX-XXXXXX' is not
valid against this service. Please use an application created via the
B2C portal and try again.
I also tried to set the multi-tenant scenario (AzureADMultipleOrgs) but I still get the same error. The only way I can make this work is by using the AzureADandPersonalMicrosoftAccount which leaves the app open to everyone and that's not what I need.
Am I missing an extra configuration or is this still not supported?
Thanks!
You need to use the B2C specific Application Registration option for it to be compatible with Azure AD B2C User Flows or Custom Policies. If you then need to further restrict the user base who should be able to login to the application, then you would need to implement some RBAC, see this sample:https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac
In AAD B2C, the Application Role assignment and Application Assignment is not honored, these are Azure AD concepts that are not respected by Azure AD B2C auth policies.
This is basically a follow up to my prev question - https://stackoverflow.com/a/44738654/2896495. I've implemented an Azure B2C sign up and auth in my web app (.NET Core 2.0) and now I want to add a custom sign up logic with Graph API (as described here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet).
But I'm confused about app registrations. For B2C auth I created an app in the Portal under Azure AD B2C -> Applications. Now, in order to use custom sign up logic I need another app registration under Portal -> App Registrations -> New Application Registration (where I can grant necessary permissions to Azure AD, like Read and Write directory data).
So, if I need auth AND custom sigh up, how should I set up my app? What's the right way of doing this?
For simplicity's sake, as well as a healthy separation of concerns, I would indeed make a separate app for the custom sign-up. It doesn't have to be a full-fledged app, a microservice that does the sign-ups for the main B2C app would be fine.
If you want to use the custom attribute to implement the custom sign up process, you need to register two apps as the document you mentioned in the post. One app is for integrating with Azure AD B2C for login, and the other is using the Azure AD Graph to query the custom attribute.
After that, you can using the Azure AD Graph REST to query the relative info and handle your own business logic in the web app. And to query the extension info, we just need to query the user info like below:
If you are just trying to have your own look and feel, as opposed to the default templates with your logos and other branding, then look into providing a template for UI customizations:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
Also, see this other answer to a similar question:
Azure AD B2C UI Customization
If you are trying for a whole different workflow, the you will want to create a custom policy.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Or if that does not work, then I guess you could just use the GraphApi, but that is the most laborious of options and completely destroys the entire purpose of using B2C in the first place. I do not recommend this approach.
Update:
I would not do everything you want to do in a custom policy. Separating the signup into it's own application/service would be a great approach (as #camsoper suggested), but only use the policies for the bare amount needed to create the initial account or authenticate an approved user. I've never used a policy to change the "accountActive" attribute, but I would be inclined to use the GraphApi to modify the user profile after the account is created by using the "NewAccount" attribute to key off. There is a "Block sign in" setting on a users profile in the azure portal which can be used to restrict access (and the signup application could set the default after the account is created), but I'm not sure if that corresponds to the "accountActive" attribute or not (yet).
Most of the administration you've described can be done in the azure portal, such as changing the "Block sign in" setting on a users profile can be used to restrict access (and the signup application could set the default after the account is created). If there is some capability that the portal does not offer, I would put that into a separate application. Avoid duplicating functionality in your customized admin app, and instead just redirect the admin to the users profile in "portal.azure.com".
https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/{objectId}
Note: there may be some issues with that URL template if the admin has access to more than one Directory for her account. It will try to pull up the directory that her account was created on by default.