I am referring following example : https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-webapp-roleclaims/
I have created main (physical) Azure B2C Tenant, in that I am managing virtual tenant.
e.g. Azure B2C Tenant (Main)
- Virtual tenant in Storage table
- Tenant 1
- Tenant 2 etc.
But I have single AD and I want to separate the user based on Tenant.
How can I achieve this with Role base user management for tenant ?
Role based user management is yet not supported in Azure AD B2C. I would recommend you request this in the Azure AD B2C feedback forum.
I can think of two options for you:
Use a custom attribute to assign users their "tenant". You would then need to make sure you set this custom attribute via the Azure AD Graph. You can then include this claim in your token and use it in your application to drive behavior.
Define Azure AD groups that map to "tenants". However, given that in Azure AD B2C, groups are not included in the claims, you won't be able to do what's recommended for Azure AD, instead, you will need to query the Azure AD Graph to retrieve the user's group membership and drive behavoir from that.
Related
Per the docs, there is no 'out of the box' way to enable Azure AD B2C users to interact with the M365 environment associated with the Azure AD tenant that was used to create the Azure AD B2C tenant.
Azure AD B2C can't be used to authenticate users for Microsoft 365.
Source:
Can I use Azure AD B2C to provide social login (Facebook and Google+) into Microsoft 365?
But I still need to be able to provide this functionality, i.e GET and POST requests to M365 via the Graph API.
To be clear, this is what I have achieved so far:
Azure AD B2C users can login
Azure AD users can login and interact with their own M365 environment via Graph API
(to enable this, I added the Azure AD tenant as an identity provider, per this article)
What I have not yet been able to figure out is:
How can the Azure AD B2C users interact with the M365 environment associated with the Azure AD tenant?
(that created the Azure AD B2C tenant)
To illustrate a use case for this requirement:
Company_A wants to enable external contractors to be able to submit compliance documents to them
They set up Azure AD B2C and create accounts for their external contractors
They set up a Node.js/Express web app on Azure
External contractors can now login to a web app and view forms designed to submit data and attachments
How can those forms send data and attachments to a Document Library in Company_A's M365 environment?
I have been pondering this issue for a while and can't conceptualise a mental or technical model of how this can be achieved.
Google searching related phrases doesn't produce any relevant content.
I am hoping someone will have the knowledge and experience to be able to say:
You will need to follow THIS paradigm which is documented HERE and involves doing THIS
Edit:
I am reading articles like these:
Get access without a user
which talks about scenarios where:
apps that have a signed-in user present may also need to call Microsoft Graph under their own identity
and contemplating adding Application Permissions (as opposed to Delegated Permissions) to my Azure AD B2C application registration.
Just to test the idea, I have added Sites.ReadWrite.All as an Application Permission and granted Admin Consent for that permission. How would I define this scope (Sites.ReadWrite.All) to be associated with the 'home' Azure AD tenant (as opposed to the Azure AD B2C tenant)? I am using msal-node which has a method named getAuthCodeURL() where you pass through the scopes required. I am assuming if I just added Sites.ReadWrite.All it would default to being applied to the Azure AD B2C tenant, rather than the desired Azure AD tenant?
M365 doesn’t exist in an Azure AD B2C tenant, you cannot apply a license for Office there. This simply isn’t possible.
For Graph API, you cannot use B2C issued tokens to call it. You must use underlying AAD Tokens to access it. Your server would need to perform Azure AD client credentials flow against the Azure AD endpoint of your AAD B2C tenant and ask for a token to Graph API. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Microsoft service scopes only apply to the underlying Azure AD endpoints of your AAD B2C tenant. They won’t mean anything at the AAD B2C login endpoints. Hence, the differentiation is made by the endpoint used.
An Azure AD B2C tenant has both endpoints:
AAD: login.microsoftonline.com/tenantId
B2C: b2clogin.com/tenantId
Since M365 env does not exist for B2C tenants, the MS Graph API is only useful to R/W user data. But, for this, you could just use the B2C user flows to R/W user profile data, and return user profile data into the B2C token, so you don’t have go call MS Graph API. This is actually the intended usage pattern.
I want to create a multi-tenant application where users will log in using Azure AD B2C. I will grant access to certain tenants that are our customers using policies. Only business customers from select tenants will have access.
I have a customer that requires granular control over which of their users can access my application. From what I've understood, my application will be registered as a service principal in their tenant as soon as a user consents to the applications requested permissions.
That as all well, but the service principal is only a kind of account, with access to certain resources in their tenant that was granted when the application was accepted. When the application has been registered in their AD, anyone from that organization can sign in. When someone signs in, that automatically creates a Consumer account in Azure AD B2C in our tenant.
The consumer user can sign in to applications secured by Azure AD B2C, but cannot access Azure resources such as the Azure portal. The consumer user can use a local account or federated accounts, such as Facebook or Twitter. A consumer account is created by using a sign-up or sign-in user flow, using the Microsoft Graph API, or by using the Azure portal.
Now, I have a customer that also wants to control that only certain accounts within their AD can login. So basically, a user identity should not be able to access a service principal?
Is this a use case that is supported, and if so, how do I handle it and what terminology am I looking for? I don't want my organization to handle any of this if possible. I just want to give all users in a tenant access, and then it is up to the customer to grant/revoke access to individual users.
If I understand correctly, As you have created a multi-tenant application it will be registered in your tenant as a Service Principal and for the customers tenant it will be in Enterprise Application . So , if they want to give access to few users or a particular group then they can assign user/group to that particular Enterprise application.
Example:
Service Principal Created on my tenant :
It gets registered as a Enterprise application in other tenant So in there we can select Assign Users and Groups to give access to this Application from their tenant or they can set conditional access policy as well for specified set of conditions.
Reference:
Restrict Azure AD app to a set of users - Microsoft identity platform | Microsoft Docs
All,
I have been trying for hours to show to Identity Providers menu in Azure AD B2C to no avail as I need to add FB as Identity Provider. May I know if there is a role I need to assign myself. I have assigned all roles to myself including the global administrator role.
Based on your screenshot, It shows:
This is not an Azure AD B2C directory. To create a new B2C directory &
manage your consumer identities in the cloud, click the articles
below.
Make sure you follow the steps to create the B2C tenant.
If you have created it, you need to switch to the B2C tenant.
Why does B2C "live" in its own Azure directory?
This seems to be the odd duck, no? Are there other Azure services this way? All of my other Azure resources live in the "default" directory.
It might help in understanding this by understanding the purpose of B2C. The idea here is to support a consumer facing application. For example, you might be building a consumer facing application and people all over the world might access it. You might want to outsource the security piece of that application to Azure AD.
Instead of integrating the application with your corporate Azure AD tenant, you can create a different AD directory, a B2C directory, that simply stores consumer identities. In this case, the B2C AD is completely separate from your corporate / main AD.
We all know that for one AAD tenant, it represents an organization. We can use AAD to manage users and resources for an organization. But for AAD B2C, it is just a service for authentication/authorization to all customers which relys application. It can integrate Soical accounts. AAD B2C cannot define those users belong to one organization.
However,AAD B2C still needs AAD to do authentication/authorization and manager users. In B2C, users are Local accounts or social accounts. In AAD, users are cloud accounts or on-premise synced accounts.
For example. If we use normal tenant also as a B2C tenant, the AAD authentication/authorization endpoint will be same. With this situation, we cannot distinguish the kind of users.It will result bad logic in product.
For distinguishing this two AAD, the B2C tenant must be separated.
Here is the clarify in official documentation:
Azure AD and Azure AD B2C are separate product offerings and cannot
coexist in the same tenant. An Azure AD tenant represents an
organization. An Azure AD B2C tenant represents a collection of
identities to be used with relying party applications. With custom
policies (in public preview), Azure AD B2C can federate to Azure AD
allowing authentication of employees in an organization.
Hope this helps!
I am trying to cater for a broad set of auth and identity management requirements, homogenizing this area of functionality across different legacy applications, and looking into Azure AD B2C as an option.
It seems as though there may be a need for maintaining contact information on a group. For example, we may need to group users according to their 'reseller,' and we may wish to have additional info about the reseller within Azure AD B2C.
Is this possible in AD B2C?
It is possible to add custom attributes to a group in Azure AD B2C using the same mechanism that's available in regular Azure AD via the Azure AD Graph: Directory schema extensions.
Note that while you can use groups in Azure AD B2C, sending group claims in the token isn't yet supported, so you'll need to make a separate call to the Azure AD Graph to obtain a user's group membership and details about the group. You can always vote for this ask in the Azure AD B2C feedback forum: Get user membership groups in the claims with AD B2C