We have a MVC Web application that has its own local SQL database. We want to migrate user management of our application to "single sign on" with Azure AD B2C.
Currently we have 3 types of users who can access our web application through the browser (admin, customer1 and customer2). Based on each type of user, we display home page customised for that user type.
We want to get the user information from Azure (included in the ID Token received from Azure) and
then at our end based on the user type of that user we display relevant information to that user.
My question:
How to move these 3 types of users to Azure? Should we create 3 different SignIn policies for each user types?
Thanks!
You can add a custom attribute for a user object, so that when you migrate the user into Azure AD B2C, you can add a value in the custom attribute for each user (admin, customer1, customer2). You can then get that custom attribute as a claim in the token, and so based on that your app can show the relevant homepage.
Related
Our system contains two applications, A and B. Application A makes a series of REST API calls to application B which creates a user account and creates another entity data for the user account on application B. The user only can access application B.
Now, we are asked to create the user account on CIAM, centralized user management, instead. To my understanding, the user account data won't get into our system until the user signs in to our system the first time. That would break the workflow as We shall not wait for a user to sign in to our system, application B, to create another entity for the user account.
To my understanding, user data on CIAM would be connected to Azure AD and the sign-in process will go through Azure AD for all users.
Any work around for this situation?
• Since the user that first signs into application B is creating his account in Azure AD B2C through the GUI of this application in the backend, as such I am considering. Because, in Azure AD B2C, the user creates his own account after he signs up by entering his details as asked using either his social account email id or creating a new one. But as per what you have asked, it is quite imperative that the user whose data you want in your system or Azure AD will either need to be entered already or synced while the user is signing up for the application B. Thus, you will need a script to export the user data from the Azure B2C tenant and import it into Azure AD/system.
• Thus, to export the customer data from Azure AD B2C and to import it in Azure AD/system, please refer to the below documentation link which describes the steps on exporting the user data from Azure B2C.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-data#export-customer-data
The following link explains in detail about how to export the user data along with the extension attributes and other attributes using powershell script and similarly import the same in Azure AD.
https://blog.redbaronofazure.com/?p=7804
• One more suggestion is that you can add the Azure AD tenant where you want to sync this user data from Azure B2C as an external identity in the same Azure AD B2C tenant. And create user IDs of specific users whom you want can login to Azure AD B2C account through their Azure AD user ID credentials. This would help you to manage the Azure AD B2C users’ data via the selected user IDs created in Azure AD. Also, these selected privileged users can also be bestowed upon the responsibility of exporting and importing other users in original Azure AD tenant. To do the above, please refer to the link below for more details: -
https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32
We have a Drupal site setup to login with Azure AD via a third party OpenID connect module.
This is linked to an Azure AD app registration in single tenant mode.
When a user visits the site whilst logged-in to an account that isn't in our tenant, they see an error message similar to this:
Message:AADSTS50020: User account 'XXXXX#example.com' from identity provider 'https://sts.windows.net/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/' does not exist in tenant 'TENANT NAME' and cannot access the application 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'(SITE NAME) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This message is completely incomprehensible to most of our users. I'd like to change it to something more meaningful such as
Please login with an INSTITUTION NAME account to access this site e.g.: username#ourdomain.com
Is this something that can be configured within the Azure AD app registration? Or elsewhere in our tenancy configuration?
In case of azure ad B2C you can create a custom error page using a technical profile based on localization or a custom policy error page. But in case of regular Azure AD (B2B), there is no way to specify custom error messages or error pages.
If there is any case where the error message is passed back to your application. there may be a possibility to deal with it as you can configure through code as required but there isn't any guidance regarding error passed to backend .
Kick tires around. We want use Azure B2C for identity management for our web application that embeds PowerBI. PowerBi Embedded and the application are on a separate tenant that is used for our organization. Can this still be done?
You could use Embed content for your customers, also known as App owns Data.
User logs in using Azure B2C
Application back-end will verify user log-in and receive user details
Application back-end should generate embed token. This means that you need to understand how to link a B2C user to a report id / role etc. You can do this in your back-end based on metadata or a table lookup.
You can also include the username and roles if you would like to use Row Level Security (RLS).
I created Azure AD b2c, created user flows and configured with MVC core application. I am using Local Account as Identity Provider. Authentication and sign up is working fine. Some users are signed up and able to access the application. No my requirement is to show all users in AD in my applications users screens so admin can manage/view instead going to azure portal.
To read the users I provided Users.Read.All permission in API permission under my application, also using Graph API to load the users data. I am able to get users data but not email in it.
Can you please let me know if is there any chance to get the users data along with email.
Thanks.
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info