What happens when we add Identity Providers in Azure AD B2C - azure

I have created an Identity Provider in my Azure AD B2C for my Web Application with the help of this link:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-msa-app
I just wanted to know the back-end process which will be happen while adding Identity Provider in Azure AD B2C deeply.

Related

Is it possible to use Azure ADB2C as an IDP for federating google cloud identity apps

Scenario:
Managed GCP Applications hosted on GCP with a Google cloud identity setup for customers
Want customers to access GCP managed service using their own IDP
Question:
Can I use Azure AD b2c as an IDP for Google cloud identity ?
Looking for a solution or alternate solutions which may not be that expensive
Azure AD B2C is an OIDC IdP so yes, it can be used as a federated IdP in Google Cloud Identity. Due to the similarities between Azure AD B2C and Azure AD you can follow most of the steps detailed in Configure workforce identity federation with Azure AD and sign in users with the following Azure AD B2C specific replacements:
Create a new app. As a best practice, we recommend that you create a new application in Azure AD B2C and use only the application to obtain Google Cloud credentials. To create a web app for user sign-in with Azure AD B2C and enable your app to receive tokens from Azure AD B2C, see Register a web application in Azure Active Directory B2C. Do not forget to follow the Next steps.
Skip this one.

AAD B2C creates a new tenant. I don't get it

I want to deploy an application on Azure. I want users to be able to authenticate in my app without a Microsoft account. This guided me to use the AAD-B2C service. I followed the tutorial shown here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant expecting that this will create a new AAD-B2C Directory in my existing Directory and tenant. I had in my mind something like the following tree:
Subscription: Pay-As-You-Go
Directory: Default
Resource Group: Default-EU
Tenants: Default, Application
User Pools: Default(Internal Users), Application(External Users)
I'm not sure I understand how this works and I'm very confused. Is it possible to use external sign-ins from users that don't have a Microsoft account without creating 2 tenants and 2 directories under my subscription?
When you create a B2C tenant, there are two completely different entities that get created - B2C Tenant Resource and B2C Tenant/Directory itself.
The B2C Tenant Resource gets created in the subscription linked to your standard Azure AD tenant (Default Directory e.g., contosocorp.onmicrosoft.com) you used to create the B2C tenant from. This resource is primarily used to change your Azure AD B2C tenant's pricing tier.
A separate tenant for your B2C directory gets created (e.g. contosob2c.onmicrosoft.com). This is an independent tenant/directory than your Default Directory and is not stored in the default tenant.
The way subscription is linked to standard Azure AD tenant is different than the B2C tenant. A subscription in B2C is required for Support, Billing, Custom Policies, and using the Identity Experience Framework. You cannot create resources for Static Web App or Function App, or Cosmos DB in the B2C tenant and you will have to use your Default Directory for this purpose.
Azure AD B2C is different from Azure AD. So, when you create Azure AD B2C, it creates another tenant
You need to create Azure AD B2C Tenant in the same subscription in which your application is deployed
Create an App Registration in your Azure AD B2C Tenant
Go to your web application and select Authentication. You can add your app registration details in the identity provider
Reference: Azure App Service Authentication (Ez Auth) with Azure AD B2C - DEV Community

Azure AD B2C with EasyAuth for Kubernetes

We are using Azure AD B2C with custom policies in a SPA in Kubernetes and have seen that EasyAuth can also be used in Kubernetes with Azure AD (https://github.com/Azure/EasyAuthForK8s). The page also says that "Azure AD B2C custom policies for complex identity flows" are included. Does this mean that I can include EasyAuth in Kubernetes and add it to my policies for login and registration or does Azure AD B2C handle this itself? If I can include it in my policies, are there any examples of this? I haven't found anything on this yet unfortunately.
Thanks for your answers

Purpose of creating an Azure AD B2C App registration inside a regular Azure AD Tenant?

I was able to create an App registration for Azure AD B2C inside a regular Azure AD Tenant. I was wondering what the purpose would be for this since it cannot be accessed?
The backstory of this is I was unaware that our Tenant could not have both AD and AD B2C, so I had been trying to use this App registration for my Blazor app login page. This does not work. It does not allow you to add User flows!
I since then created a new Tenant and App and that works now. But this App registration pictured here still remains under this AD Tenant (not B2C), seemingly disconnected and useless. What is going on here? Why am I allowed to create it? This App being stuck out here makes me wonder if Apps are actually independent of how they look in the Azure hierarchy and if that is beneficial in some way -- for instance, being able to register it once for many Tenants to reduce deployment/maintenance.
Azure AD applications and Azure AD B2C applications are separate products. They are independent of each other and cannot coexist in the same tenant, you will not see any Azure AD B2C applications in Azure AD tenants. Even if you click the Azure AD B2C tab to create an App registration in a regular Azure AD tenant, the application is not a b2c application, it is still an AAD application, as you can see, it does not allow you to add user flows because it is still an AAD application.
They are distinguished according to their functions. An Azure AD tenant represents an organization. An Azure AD B2C tenant represents a collection of identities to be used with relying party applications. Even if you click the Azure AD B2C tab in the regular Azure AD tenant to create an application registration, it can only use the functions in the Azure AD tenant. If you To use the features in Azure AD B2C, you can only register the application in the Azure AD B2C tenant.

How to use Azure Key Vault & Azure Active Directory B2C in different directories?

I am attempting to follow these instructions to set up Azure Key Vault, and I am on the step to "Register an application with Azure Active Directory".
In the instructions, there is this guideline:
Important: To complete the tutorial, your account, the vault, and the application that you will register in this step must all be in the same Azure directory.
Three important pieces of info about my configuration:
Since our team is using Azure Active Directory B2C and not Azure AD, the AAD B2C instance is in a different directory, as shown in the top right corner of the screenshot below.
Our web app (name MyApp) is registered to AAD B2C within Directory2, as shown by the circle in the middle of the screenshot below.
However, the actual Web Application resource is in Directory1, as shown in the screenshot below
How should I move forward? Should I move the KeyVault & MyApp to Directory2 or move the AAD B2C instance to Directory1?
Unfortunately, You cannot use Azure KeyVault for Azure AD B2C Application.
Why?
1.For your sceanrio,generally,we can secure Azure Web App with Azure AD and Azure AD B2C. However, for Azure AD B2C application, the key can only be generated by Azure. You cannot use a custom key for AAD Application.
2.AAD B2C application is not with a service principal. If you want to authorize the application to use the key or secret, you may use following powershell scripts:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToKeys decrypt,sign
However,this powershell cmdelet needs to speicfy one Serviceprincipal Name. AAD B2C is not with a service principal. So,you cannot use this powershell for AAD B2C App.
So,even you can let the key vault and AAD B2C application are in a same tenant, but you still cannot use the key vault for AAD B2C.
My Suggestions:
Although you can integrate AAD B2C to do authentication/authorization for your Azure Web App, but this feature is designed for AAD,NOT Azure AD B2C. However,you can still integrate AAD B2C with your web App, but you cannot use keyvault for your B2C app. I'm sorry for this suitation, but B2C is for develop environment,it's not likes AAD.
If you mind use generated key by Azure and need this feature, you can post your idea in this Feedback Forum, Azure Team will review it.
Hope this helps!

Resources