I am implementing Sign in by using Azure AD accounts scenario, described here -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
I understand how to change custom policy in file SignUpOrSignIn.xml, but I don't want users to sign up freely into my application.
I want to use sign-in only policy, but there are no sign-in only policies files in the starter pack.
Is it possible to have Azure AD login button on sign-in only screen?
You can remove everything related to sign-up and any other user journey you don't want, from a combined policy.
Related
I have an existing login page. Can I integrate Azure B2C into it instead of using the login screens provided by and hosted by Azure AD B2C?
A similar question was asked 4 years ago but the answer is most likely out of date: Can I use my own UI to authenticate users with Azure AD B2C?
You could have a look at the embedded sign up / sign-in option.
"For a simpler sign-up or sign-in experience, you can avoid redirecting users to a separate sign-up or sign-in page, or generating a pop-up window. By using the inline frame HTML element, you can embed the Azure AD B2C sign-in user interface directly into your web application."
If you are really determined to use the form of your own which has nothing to do with AAD B2C then the only solution you're left with is a Resource Owner Password Credentials grant where you explicitely send username/email and password over to AAD B2C and get a token in return.
Here's docs ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
Be aware though that this flow is not suitable for modern applications for security reasons and in principle should rather be used only for legacy solutions.
Our organization has a on premise Active directory.For few of our applications we want to implement authentication mechanism using Azure AD. Following is the requirement:
1) Organization users will be authenticated by Azure AD
2) External users will be authenticated by Azure AD B2C
3) Whenever an external user is trying to access the application, application will redirect the user to B2C login page.
Can anyone help me with steps for the solution?
Also, is there any issues to implement the security mechanism using Azure AD and B2C if the application resides in AWS?
For a specific sample of how to implement these custom policies, see Woodgrove Groceries demo, which enables users to sign in with either:
An "individual customer" account (i.e. a local account that is managed by Azure AD B2C or a Google or Microsoft account that is federated with it); or
A "business customer" account (i.e. an Azure AD account that is federated with Azure AD B2C); or
A "partner" account that is a direct federation between the end-user application and Azure AD (where Azure AD B2C doesn't act as an intermediate federation).
For your use case B2C custom policies are perfect fit. you can get start on custom policies from https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
1) Organization users will be authenticated by Azure AD
You can integrate this in custom policies. Example: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
2) External users will be authenticated by Azure AD B2C
Once you add custom policies those will allow you to login users from external network/ social IDPs
3) Whenever an external user is trying to access the application,
application will redirect the user to B2C login page.
It's all about configuration. If you configure properly it will take you to B2C login page. If you stuck while integrating drop comment here.
Also, is there any issues to implement the security mechanism using
Azure AD and B2C if the application resides in AWS?
I don't think you will face challenges. Cloud redirects will happen and works fine with B2C too.
Is It possible to create a multi step sign up custom policy in azure ad b2c ?
I mean I need to capture personal details and verify them against my database if valid? Then second page to create a username and password and store them in azure active directory.
Since I already have a design implemented for these pages I don't want to change this by using ad b2c.
Please help.
Yes, this is possible, see the Wingtip sample for Azure AD B2C custom policies which contains a sign-up or sign-in policy that includes multiple orchestration steps.
You will have to validate the personal details via a REST API.
I searched in google for how to add CAPTCHA in b2c signup policy. but not getting any article so for. Is there a way to add CAPTCHA inside sign-up and sign-in process of Azure B2C? or any workaround
Currently, because Azure AD B2C doesn't allow custom or third-party JavaScript, which is required for CAPTCHA, then this isn't possible.
It will be possible when Azure AD B2C does support Javascript.
The current alternative is to verify the email address for a new user during sign-up.
Does anybody know why when I invite users to my Azure AD B2C some of them see different web page after clicking on invitation email? For example, user will #gmail.com will be asked to created Microsoft account but layout of this page will be different if his email would end with #mvrht.net.
I've tried to search anything on web but didn't find anything. Is there some kind of "magic? algorithm that decides this?
Azure AD B2C Users should NOT be created via the Users & Groups blade.
This blade, while available from the Azure AD B2C Edit Settings blade, is meant at this time to be used to manage users for regular (corporate/enterprise) Azure AD. While it is technically possible to create/add users via this blade, you'll end up with undesired/unexpected behavior such as users being created with #tenantname.onmicrosoft.com or having them created as Guests via the Azure AD B2B Collaboration feature (which is what's happening with your #gmail users) that ultimately can't sign in to your Azure AD B2C integrated applications.
In the context of Azure AD B2C, you should only use this blade to browse the users in the tenant, always in read only mode.
To create Azure AD B2C users, you should either:
Have the users sign-up by themselves via the Sign-up or unified Sign-up/Sign-in policy.
Programatically pre-create the users via the Graph API. For this approach check out this sample which contains a CLI to create users and showcases the code behind it.
Source: How do you add a user with a local name in Azure Active Directory B2C?