I saw this answer and update (Revocation endpoint in Azure AD B2C) but I'm not sure how to use this with Azure AD B2C. I've opened up an Azure Cloud Shell and it comes back that the object ID does not exist. I'm running this from my parent Azure directory because I could not open up an Azure Cloud Shell inside my Azure AD B2C directory (it said "No valid subscription found"). Do you have to run this command from within the Azure AD B2C directory? If so how do I link a subscription so that I can do this?
I don't believe you can use Azure Cloud Shell because an Azure AD B2C directory isn't related to an Azure subscription like an Azure AD directory is related to one.
You can use either:
The Revoke-AzureADUserAllRefreshToken cmdlet of the Azure Active Directory PowerShell for Graph module.
The Invalidate all refresh tokens for a user operation of the Azure Active Directory Graph API.
Related
We are running Azure AD B2C to authenticate users in our application. We also managed to codify almost everything with Terraform and are pretty happy with it. Now we are attempting to move these manifests under Azure Devops Pipelines and are stuck with access problems.
Azure Pipelines use a dedicated service principal in the main (non B2C) Active Directory to perform its operations. We granted this SP enough permissions within the target subscription to handle Terraform resources. But I cannot find any way to grant this SP any permissions on the B2C directory. I can invite users from the primary directory to the B2C, and it works fine, but SP is an application, not a user.
Is there any way to "invite" an application from the primary directory into the B2C directory?
Is there any way to "invite" an application from the primary directory
into the B2C directory?
If your app registration support account types is Accounts in any organizational directory (Any Azure AD directory - Multitenant), you would be able to add the same service principal in your Azure AD B2C Tenant
As you want to use the service principal in Azure Pipelines to handle Terraform resources, it is suggested to use separate service principals for Azure AD and Azure AD B2C as Authentication will be different for the service principal with multi-tenant account support type
I want to deploy an application on Azure. I want users to be able to authenticate in my app without a Microsoft account. This guided me to use the AAD-B2C service. I followed the tutorial shown here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant expecting that this will create a new AAD-B2C Directory in my existing Directory and tenant. I had in my mind something like the following tree:
Subscription: Pay-As-You-Go
Directory: Default
Resource Group: Default-EU
Tenants: Default, Application
User Pools: Default(Internal Users), Application(External Users)
I'm not sure I understand how this works and I'm very confused. Is it possible to use external sign-ins from users that don't have a Microsoft account without creating 2 tenants and 2 directories under my subscription?
When you create a B2C tenant, there are two completely different entities that get created - B2C Tenant Resource and B2C Tenant/Directory itself.
The B2C Tenant Resource gets created in the subscription linked to your standard Azure AD tenant (Default Directory e.g., contosocorp.onmicrosoft.com) you used to create the B2C tenant from. This resource is primarily used to change your Azure AD B2C tenant's pricing tier.
A separate tenant for your B2C directory gets created (e.g. contosob2c.onmicrosoft.com). This is an independent tenant/directory than your Default Directory and is not stored in the default tenant.
The way subscription is linked to standard Azure AD tenant is different than the B2C tenant. A subscription in B2C is required for Support, Billing, Custom Policies, and using the Identity Experience Framework. You cannot create resources for Static Web App or Function App, or Cosmos DB in the B2C tenant and you will have to use your Default Directory for this purpose.
Azure AD B2C is different from Azure AD. So, when you create Azure AD B2C, it creates another tenant
You need to create Azure AD B2C Tenant in the same subscription in which your application is deployed
Create an App Registration in your Azure AD B2C Tenant
Go to your web application and select Authentication. You can add your app registration details in the identity provider
Reference: Azure App Service Authentication (Ez Auth) with Azure AD B2C - DEV Community
Can we configure SSO (Single Sign-On) in Azure without using the Azure Active Directory? Or using any Code.
If you need to log in with Azure AD users then SSO is required for Azure AD. If you have your own database of users to login and then you don't require Azure AD.
I'm building a SPA web app and API on MS Azure. The application needs to authenticate users that aren't part of the organization's Azure AD Directory (and shouldn't be). We are using a B2C directory (tied to the same subscription) for this with local users.
We need to store a file in Azure Blob Storage. We set up the container in the organization's AD Tenant. I want the SPA application to retrieve the file directly from Blob Storage. I tried exposing the Blob Storage permissions in the app registrations which are in the B2C Directory, but it won't allow exposing the permission because the Directory doesn't have a subscription (I did register the B2C Tenant with the organization's subscription).
So my question is - do I need to set this up as a multi-tenant situation between the organization's Directory and the B2C Directory? So setup an app registration in the organization's directory, make it multi-tenant, and expose the needed Blob Storage permissions? Or is there a better way to do this?
As far as I knew, the Azure AD B2C local user account cannot be used to do Azure AD auth then access Azure blob. Because the email address that you use to create account using your 'Sign in / Sign up' user policy is just as “SignInName”. We just can use it to finish Azure AD B2C Authentication. To finish Azure AD Authentication, we need to use "userPrincipalName". But your users cannot get it by themselves. Meanwhile, for security reasons, Microsoft does not recommend customers provide “userPrincipalName” for their users.
So if you want to access azure blob in your application, I suggest you can create a SAS token for the blob or the container which you want to access. For more deatils, please refer to the document.
I am attempting to follow these instructions to set up Azure Key Vault, and I am on the step to "Register an application with Azure Active Directory".
In the instructions, there is this guideline:
Important: To complete the tutorial, your account, the vault, and the application that you will register in this step must all be in the same Azure directory.
Three important pieces of info about my configuration:
Since our team is using Azure Active Directory B2C and not Azure AD, the AAD B2C instance is in a different directory, as shown in the top right corner of the screenshot below.
Our web app (name MyApp) is registered to AAD B2C within Directory2, as shown by the circle in the middle of the screenshot below.
However, the actual Web Application resource is in Directory1, as shown in the screenshot below
How should I move forward? Should I move the KeyVault & MyApp to Directory2 or move the AAD B2C instance to Directory1?
Unfortunately, You cannot use Azure KeyVault for Azure AD B2C Application.
Why?
1.For your sceanrio,generally,we can secure Azure Web App with Azure AD and Azure AD B2C. However, for Azure AD B2C application, the key can only be generated by Azure. You cannot use a custom key for AAD Application.
2.AAD B2C application is not with a service principal. If you want to authorize the application to use the key or secret, you may use following powershell scripts:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToKeys decrypt,sign
However,this powershell cmdelet needs to speicfy one Serviceprincipal Name. AAD B2C is not with a service principal. So,you cannot use this powershell for AAD B2C App.
So,even you can let the key vault and AAD B2C application are in a same tenant, but you still cannot use the key vault for AAD B2C.
My Suggestions:
Although you can integrate AAD B2C to do authentication/authorization for your Azure Web App, but this feature is designed for AAD,NOT Azure AD B2C. However,you can still integrate AAD B2C with your web App, but you cannot use keyvault for your B2C app. I'm sorry for this suitation, but B2C is for develop environment,it's not likes AAD.
If you mind use generated key by Azure and need this feature, you can post your idea in this Feedback Forum, Azure Team will review it.
Hope this helps!