I’d like to use scopes in our Azure B2C instance, however all our resources are residing in a different active directory. Can I somehow also select the API instance from another Resource? Or is it possible to upgrade our main AD to an Azure B2C one? Or can we somehow move our subscription and all resources to our Azure B2C AD?
At this point in time, Azure AD B2C does not support multi-tenancy. You can vote and keep track of the feature in the Azure AD B2C UserVoice forum:
How to use Multitenant Applications Based on B2C
Without multitenancy, you will not be able to access resources from other tenants. It is also not possible to upgrade your main AD to an Azure AD B2C tenant, or have subscriptions within your Azure AD B2C Tenant.
Not entirely sure what your scenario is, but the recommended way to do this is by adding Azure AD as an identity provider. This currently can be done using custom policies, but I would encourage waiting until the feature is available through built-in policies.
Related
I want to deploy an application on Azure. I want users to be able to authenticate in my app without a Microsoft account. This guided me to use the AAD-B2C service. I followed the tutorial shown here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant expecting that this will create a new AAD-B2C Directory in my existing Directory and tenant. I had in my mind something like the following tree:
Subscription: Pay-As-You-Go
Directory: Default
Resource Group: Default-EU
Tenants: Default, Application
User Pools: Default(Internal Users), Application(External Users)
I'm not sure I understand how this works and I'm very confused. Is it possible to use external sign-ins from users that don't have a Microsoft account without creating 2 tenants and 2 directories under my subscription?
When you create a B2C tenant, there are two completely different entities that get created - B2C Tenant Resource and B2C Tenant/Directory itself.
The B2C Tenant Resource gets created in the subscription linked to your standard Azure AD tenant (Default Directory e.g., contosocorp.onmicrosoft.com) you used to create the B2C tenant from. This resource is primarily used to change your Azure AD B2C tenant's pricing tier.
A separate tenant for your B2C directory gets created (e.g. contosob2c.onmicrosoft.com). This is an independent tenant/directory than your Default Directory and is not stored in the default tenant.
The way subscription is linked to standard Azure AD tenant is different than the B2C tenant. A subscription in B2C is required for Support, Billing, Custom Policies, and using the Identity Experience Framework. You cannot create resources for Static Web App or Function App, or Cosmos DB in the B2C tenant and you will have to use your Default Directory for this purpose.
Azure AD B2C is different from Azure AD. So, when you create Azure AD B2C, it creates another tenant
You need to create Azure AD B2C Tenant in the same subscription in which your application is deployed
Create an App Registration in your Azure AD B2C Tenant
Go to your web application and select Authentication. You can add your app registration details in the identity provider
Reference: Azure App Service Authentication (Ez Auth) with Azure AD B2C - DEV Community
We are using Azure AD B2C with custom policies in a SPA in Kubernetes and have seen that EasyAuth can also be used in Kubernetes with Azure AD (https://github.com/Azure/EasyAuthForK8s). The page also says that "Azure AD B2C custom policies for complex identity flows" are included. Does this mean that I can include EasyAuth in Kubernetes and add it to my policies for login and registration or does Azure AD B2C handle this itself? If I can include it in my policies, are there any examples of this? I haven't found anything on this yet unfortunately.
Thanks for your answers
I was able to create an App registration for Azure AD B2C inside a regular Azure AD Tenant. I was wondering what the purpose would be for this since it cannot be accessed?
The backstory of this is I was unaware that our Tenant could not have both AD and AD B2C, so I had been trying to use this App registration for my Blazor app login page. This does not work. It does not allow you to add User flows!
I since then created a new Tenant and App and that works now. But this App registration pictured here still remains under this AD Tenant (not B2C), seemingly disconnected and useless. What is going on here? Why am I allowed to create it? This App being stuck out here makes me wonder if Apps are actually independent of how they look in the Azure hierarchy and if that is beneficial in some way -- for instance, being able to register it once for many Tenants to reduce deployment/maintenance.
Azure AD applications and Azure AD B2C applications are separate products. They are independent of each other and cannot coexist in the same tenant, you will not see any Azure AD B2C applications in Azure AD tenants. Even if you click the Azure AD B2C tab to create an App registration in a regular Azure AD tenant, the application is not a b2c application, it is still an AAD application, as you can see, it does not allow you to add user flows because it is still an AAD application.
They are distinguished according to their functions. An Azure AD tenant represents an organization. An Azure AD B2C tenant represents a collection of identities to be used with relying party applications. Even if you click the Azure AD B2C tab in the regular Azure AD tenant to create an application registration, it can only use the functions in the Azure AD tenant. If you To use the features in Azure AD B2C, you can only register the application in the Azure AD B2C tenant.
I've read how to set up my application to support multiple tenants with each of them having their own Azure AD. But I would also like to support clients without Azure AD. I thought about using Azure AD B2B (inviting them to my Azure AD). But how do I then tell which tenant user belongs to? Token will have my Azure AD as iss. Can I add custom fields to token? Or maybe I should assign them to different groups based on tenant? What is the best way to do it?
I am working on a project to migrate the Consumer faced application to the cloud.
Based on the pricing I prefer to use the Azure AD B2C tenant.
Tentative timeline for the Azure AD B2C GA ?
How can I sync/move the user object from On-premises AD to the Azure AD B2C tenant? Can we use Azure AD connect for this?
As stated in this FAQ,
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
No, Azure AD Connect is not designed to work with Azure AD B2C. We
will provide various migration options and tools out-of-the-box in the
future.
With the (beta) MSAL library (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet), you can add both B2C and your existing AD to your website, so both worlds (external customers in B2C and corporate users in AD) can login to the same site.
from: https://blogs.technet.microsoft.com/enterprisemobility/2016/03/31/microsoft-identity-at-build-2016/
MSAL is a developer library that helps you to obtain tokens from MSA, Azure AD or Azure B2C for accessing protected resources – such as your own API, Microsoft’s API (such as the Microsoft Graph) and any other 3rd party choosing to protect their API with Microsoft identity.