I don’t really understand the difference between Azure AD B2C Application and Azure App Registration Application.
I can see some of my Azure AD B2C applications in the Azure App Registration page, but the opposite is not true.
The good part of Azure App Registration is that you can request the Graph API if you have the right permissions and it’s not true for an Azure AD B2C Application.
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
But it seems to be not possible to be authenticated with Azure AD B2C with an Azure App Registration application.
Do you know if there is a possibly to have all-in-one ? An application which can authorize AAD B2C authentication and request the Graph API.
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration portal (ARP). The only app that may be visible is the 'b2c-extensions-app', which is a system application that B2C uses to store information about users. Likewise, the apps in the ARP portal should not be visible in the B2C portal.
Unfortunately it is not possible to have an "all-in-one" app at the moment. You should vote for the feature here.
Depending on your scenario, you could register an application in both the portals, and use the right one depending on the request you need to make.
1) Currently it is not possible to use the same app registration for both Microsoft Graph API and Azure AD B2C.
a. Azure AD B2C Apps must be registered using the Azure AD B2C blade in the Azure portal.
b. Graph API applications can be registered either at https://apps.dev.microsoft.com/ or by creating an application in your Azure Active Directory tenant (but not under the Azure AD B2C blade).
2) Graph API currently does not accept tokens issued by Azure AD B2C. This means you may need a separate micro-service that will authenticate with Microsoft Graph using the ClientId / ClientSecret of your Graph API Application Registration. The instructions in the documentation will have you configure “create, read and update permissions” for your Graph API app registration. (https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Related
I have react native app which uses Azure AD B2C (as it is available outside our organization) and a backend admin SPA with Azure AD as it is only for our employees.
I have a node backend with provides api for both the app, now how to validate the tokens generated by AD B2C app and AD app.
One solution is to use Azure AD as external identity provider in Azure AD B2C and use Azure AD B2C app for the both RN external facing app and backend admin SPA, this will work, the issue being here is we will have employee information on both AD & AD B2C.
What is the right way of doing these kind of integration. Any help is greatly appreciated. Thanks
Handle it in the back-end side / API side. So essentially, in the API side, you have two or more ways of authenticating a user.
In the case of AD and AD B2C, it'll be like setting up two JWT auth providers.
Context
I've successfully created and configured a Azure B2C tenant and a ASP.NET Core 3.1 Web Application which uses AD B2C built in workflows to authenticate users.
Question
In the application described above the login forms (even they have customized design by me) are provided and hosted by Azure AD B2C infrastructure.
Is it possible to use my entirely custom login form (hosted in my web app), get the typed credentials from the uses, then call Azure AD B2C API to do the authentication, and get the token?... or it is not a supported scenario and asking for the credentials form is always must be hosted by the Azure AD B2C infrastructure...
From a web app this is not supported. We do support an ROPC flow from mobile apps.
I'm using this sample as a starting point: https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/
But instead of calling an existing API I'm trying to call graph.
The actual issue I'm running into is that when I go to reference any API/APP in my B2C app there are no options under 'Select API'
What I am trying to reference is a AD App I created that has access to Graph.
I tried a number of the suggestions listed here: Azure AD Application not appearing in existing AD App list for an Azure web application
Including adding myself as the owner of the AD App, but I can't make it appear in AD B2C.
I've also tried signin in and out and I've tried a couple different browsers just in case.
My B2C tenant isn't linked to a subscription so that could be the issue but I'm not sure why since both my AD B2C and my AD App live in the same tenant.
Access can only be granted from one Azure AD B2C-registered application, i.e. the client application, to another Azure AD B2C-registered application, i.e. the resource application.
The Graph API is not an Azure AD B2C-registered application.
Alternatively, you'll either have to implement a backend for the frontend, where it's the backend application that integrates with the Graph API or implement a custom policy that interacts with it.
If you want to call you need to register an application in azure ad tenant. And azure b2c cannot find the application which has graph api permissions. Because it is not in your b2c tenant. Regarding how to call graph api, please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
I am using Custom Policies on Azure B2C.
When I want to run the Custom Policy I can choose the application which I want to use with the policy. I saw that I'm not only able to use my applications from Azure B2C, I can use the applications from the App Registration section.
What is the differences. I've been able to signup and sign in users with both types of applications.
Thanks in advance!
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration in Azure Active directory.Also, the apps in the Application Registration should not be visible in the B2C .
In your issue , I assume that you should have add two apps in the two places.
What is the differences.
Application in Azure AD B2C :To build an application that accepts consumer sign-up and sign-in, you first need to register the application with an Azure Active Directory B2C tenant.
Application Registration in Azure AD: This creates an Application ID for the application, and enables it to receive tokens. In order to get a client ID and secret from Azure, you have to register the app and provide some basic information about it, including what resources your app wants to access, and what permissions it needs.
Depending on your scenario, you could register an application in both portals, and use the right one depending on the request you need to make.
The apps that are registered through each different location (Azure Active AD versus Azure AD B2C) are given credentials that are valid for any policy, including custom policies you have uploaded.
The end result is the same: you have an application that is registered with and can access the policy regardless of how that app/policy was created.
Is it possible to use MSAL to allow a windows service to access a web api protected by Azure AD B2C? If not, what is the best way to allow a autonomous service to access an API protected by B2C.
This scenario should be addressed with the Client Credentials OAuth flow.
This is possible in Azure AD B2C, however, the experience isn't ideal.
To do achieve this, use "App Registration" blade in the Azure Portal to register a apps that define application permissions and then register apps that use client credentials to request these. You would effectively be using the same mechanism that you use in regular Azure AD, see Azure AD's "Daemon or Server Application to Web API" documentation
Important note: Make sure you are not using the Azure AD B2C blades for this.
You can support the ask for a first class experience by voting for this entry in the Azure AD B2C feedback forum: Support OAuth 2.0 Client Credential Flow