I created a B2C AD in my developer account on Azure.
In this environment I have users created in my personal AD, and users in AD B2C (where the user can log in with: twitter and facebook).
I found an ASP.NET project that logs in to these two ADs, but with two types of logins, one for normal AD and one for AD B2C. And from what I've researched, the only way to log in to these two different ADs is this way.
Does anyone know of a way to make a single login in these two ADs?
You could do it now with custom Azure AD B2C policies. It is however quite an advanced scenario.
Using them you could put all authentication behind B2C. User could choose to sign in against your Azure AD or through Twitter or Facebook on the B2C sign-in page instead of your application.
Custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Documentation on using Azure AD as a provider in B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
GitHub repo with examples: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies
Thanks for the quick response.
I tried to do this but could not find the settings needed to put Twitter, Google and Microsoft. For Facebook and other AD worked.
I found a post, that Microsoft will soon make available an "Identity Provider" to validate the user in another AD.
For now, I'll put two Sign-in in my application, one for the company's AD and another for the B2C AD.
I am now looking for a way to get the user's profile in AD (Name, First Name, Last Name, Job Title, Departament, ....).
Once this is done, I'm going to make a DEMO and publish it to github, I think this will help a lot of people.
Related
I have an ASP.Net core web application and integrated authentication using the Azure AD B2C Tenant/Application. I'm able to authenticate and get the user claims in my web application.
But what I additionally want is to allow only certain customer users access the web application. I want to do this at the B2C Tenant itself. Right now any B2C customer user can sign in. Any help, ideas, insight will be appreciated.
You may know there is an Manage user assignment for an app feature in Azure Active Directory. But it's not available in Azure B2C.
Currently the recommended way to control the access in Azure B2C is defining custom attributes and check the claims in token.
If the expected claim is included, you allow the user to continue.
Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Administrative users of our application need to be able to invite additional users to the application.
I've found some articles that point, again, to using custom policies.
Thank you very much!
EDIT #1 -
Looking into using B2C & Microsoft Graph API I came across some decent, and recent, MS Resources:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations
And this important-to-me statement -> Microsoft January 28th, 2021:
"Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."
I'll update my post when I find a solution. Thanks again!
You need to use custom policies.
For first bullet point, see my sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
You could do either option. For option 1, AAD B2C can call your api which can call graph api to fetch groups. Then embed the info into the token. For option 2, you could write a role value to an extension attribute and return it in the token.
To invite users, you could use the invite sample. Essentially make an app that calls an API to generate these invite links and send those to the users email. The user clicks the link which allows them to complete their sign up.
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
I am seeing duplicate accounts being created using the same Facebook login on Azure AD B2C. My understanding has always been that using the combined sign-up/sign-in policy, if a user taps a social provider, Azure AD B2C will sign them back in using the same Azure AD B2C account if they created it using Facebook rather than creating a new one.
In this case however, I have three examples where 2 Azure AD B2C accounts exist with the same email address, created by the user using Facebook as the authentication mechanism. They share the same name and profile photo but have different Azure AD AD object id's.
There is a known outstanding Facebook issue around expired tokens which was acknowledged by Microsoft and is logged on UserVoice here after a paid developer support issue was logged on the Azure portal: Fix the faulty Facebook integration and more transparency please!
I have logged this here under the request from Azure Support on Twitter:
https://twitter.com/AzureSupport/status/949258937915895809
Please assist - we are very concerned about these issues with regards B2C's integration with a very popular social provider!
Millions of end users use facebook to register and login to apps secured by Azure AD B2C.
If you are sure that the same facebook user(same user id) registered into the b2c app, then it may be possible that you used different facebook Application IDs. In which case you would have different facebook ids presented to b2c, resulting in 2 different Azure AD B2C user accounts.
Alternatively, it is possible that a single facebook user with email joe#email.com registerd into b2c using their facebook login and later selected "local account" and created a local user (non facebook) using the same email joe#email.com. These would appear as 2 different users.
Does anybody know why when I invite users to my Azure AD B2C some of them see different web page after clicking on invitation email? For example, user will #gmail.com will be asked to created Microsoft account but layout of this page will be different if his email would end with #mvrht.net.
I've tried to search anything on web but didn't find anything. Is there some kind of "magic? algorithm that decides this?
Azure AD B2C Users should NOT be created via the Users & Groups blade.
This blade, while available from the Azure AD B2C Edit Settings blade, is meant at this time to be used to manage users for regular (corporate/enterprise) Azure AD. While it is technically possible to create/add users via this blade, you'll end up with undesired/unexpected behavior such as users being created with #tenantname.onmicrosoft.com or having them created as Guests via the Azure AD B2B Collaboration feature (which is what's happening with your #gmail users) that ultimately can't sign in to your Azure AD B2C integrated applications.
In the context of Azure AD B2C, you should only use this blade to browse the users in the tenant, always in read only mode.
To create Azure AD B2C users, you should either:
Have the users sign-up by themselves via the Sign-up or unified Sign-up/Sign-in policy.
Programatically pre-create the users via the Graph API. For this approach check out this sample which contains a CLI to create users and showcases the code behind it.
Source: How do you add a user with a local name in Azure Active Directory B2C?
We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.
We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.
Thanks In Advance
You can totally setup an app to authenticate with multiple directories.
Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.
On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.
You'll need to define the app twice, once in both directories.
The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.
Update to B2C allows you to do it all from there now
Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.
This new feature allows you to:
Create a B2C tenant with custom policy for employee/partner login through Azure AD
Send all users to authenticate with your B2C tenant
Users can choose if they want to sign in with social accounts or if they are an employee or partner
If they choose to sign in as employee or partner, they would be redirected to your Azure AD
In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info