We are trying to register applications with AAD B2C in a programmatic fashion (either Powershell or C#/.NET) in order to create and deploy app service web apps from azure automation during automatic tenant creation.
Given the context of AAD B2C Graph API seems like the way to go.
Is adding an application to AAD B2C possible?
If yes, via what technology (vanilla REST? we could not find documentation specific to AAD B2C applications)?
So far we tried using the Graph API from the Azure AD 2.0 preview as well as the Graph Client.
After figuring out that the step of creating an app requires a service principal with global administrator rights (we would love to further restrict the permissions) we face the issue that applications do not show up in B2C but are present in the AAD section of the Azure portal.
One of our attempts to add via powershell (we tried to set all parameters to closely match an application manually created in the portal B2C tenant management blade):
New-AzureADApplication -DisplayName $tenantCname -IdentifierUris "https://$tenantCname.$aadTenant.onmicrosoft.com" -ReplyUrls $tenantUrl -AvailableToOtherTenants $true -Oauth2AllowImplicitFlow $true -PublicClient $false
The command succeeds but the application does not show up in the portal under AZURE AD B2C SETTINGS > Settings > Applications but only in Azure Active Directory/App registrations. Given that both blades relate to the same directory we are not sure what differentiates our app creation from an interactive one.
Are there any additional steps we are missing? Specific properties/extensions?
I also created the application and service principal using PowerShell and then compare them with the B2C application created by manually using Azure AD Graph. However not able to find there is any property would effect the application.
Are there any additional steps we are missing? Specific properties/extensions?
Also there is no such properties/extensions about this feature was public based on the entity reference for the application and service principal here. So I don't think it is possible to create a B2C application programatcially at present.
If you require this feature, you may submit the feedback from here.
Related
I have developed a domain-based modeling tool and code-generator that provides the ability to capture domain models per DDD and automatically generates ASP.Net Web API microservices.
I also created an Azure B2C CLI tool that uses MS Graph API to programmatically generate an Azure B2C AD Application for each Web ASP.NET Web API of which includes all possible scopes that are applied to protect some of the generated Web API operations.
As some of these generated API services often interact with other generated services via REST and/or gRPC, the Azure B2C CLI tool also adds the list of dependent API permissions that would be required by each Web API in order to integrate with the other Web API.
My Azure B2C CLI tool works great and is creating/updating the underlying Azure B2C Web/API application per each domain service within the Home Tenant along with the necessary Service Principal.
Currently I still need to log into the Azure Portal in order to grant the API permissions per each B2C Application.
My Question is : Is it possible to automate the granting of the API Permissions using the B2C Application that I am using to create these same B2C Web/API applications ?
It seems like this should be possible as the Azure B2C CLI tool's B2C Application is the owner of these created Apps.
To help illustrate and support my question I have included some screen shots below.
To begin, the following image shows the permission set that my Azure B2C CLI tool runs under in order to create the other B2C applications for each Web API via MS Graph API.
On each pass, the Azure B2C CLI tool processes a particular domain model to understand the definition for each domain service within that model and will automatically create a series of B2C applications within Azure B2C per each service in a particular domain model.
The following domain model has 4 domain services which results with 4 B2C Apps being generated by my Azure B2C CLI tool as illustrated below ..
The Azure B2C CLI tool creates as many permission scope items per API operation and adds that to the underlying API OAuthPermissionScopes. Here is a few examples of generated permission scopes services for "WorkSpace" and "SharedServices" Web API's...
The Azure B2C CLI also adds any API permissions to each generated B2C API Application. The following example shows that "CoreServices" API requires permissions from both the "SharedServices" App API and the "WorkSpace" App API
Once that is completed I can log into the Azure Portal and Grant these permissions, manually, per each API.
Instead of granting these manually I would like to programmatically grant these permissions via MS Graph within the Azure B2C CLI tool I've created.
The code-generator domain modeling tool will be producing 100's upon 100's of services so I want to automate securing the generated domain services as much as possible, including granting of API permissions.
What is the MS Graph API to allow me to fully automate this process within my Azure B2C CLI tool?
Microsoft Graph doesn't support the "grant admin consent" feature currently.
AAD Graph has an endpoint https://graph.windows.net/myorganization/consentToApp?api-version=2.0 which is used to grant admin consent but it is only available within Microsoft. Calling this endpoint from outside will get this error.
You could consider using Azure CLI cmd az ad app permission grant or az ad app permission admin-consent --id $appid. See reference here.
There is a difference between the 2 cmds. You can find more details from my previous answer.
From what I read, AppRoleAssignment.ReadWrite.All should allow application to use Microsoft Graph SDK to do app role management programmatically. But how do I grant permission such that the application principal can only allow to manage it's own role but not other enterprise application?
The goal is to build a role management page in the web application to allow designated users to add/remove user to an app role for the same application without granting them access to the Azure portal.
Unfortunately, it's impossible currently.
Although we can add the user as the admin of the application principal on Azure portal and then we can do anything to the application principal on Azure portal, calling Microsoft Graph is different. It has to rely on the permission of Azure AD app.
But the Microsoft Graph permission AppRoleAssignment.ReadWrite.All is for all the application principals.
If you click on "F12" to open the developer tool of Chrome, you will find that the Azure Portal is using another API to finish the operation.
I tried to add my user as the admin of only one application principal through Powershell, but it still doesn't work for Microsoft Graph.
You can go to Microsoft Graph user voice to make a request to get the attention of the product group.
I am attempting to follow these instructions to set up Azure Key Vault, and I am on the step to "Register an application with Azure Active Directory".
In the instructions, there is this guideline:
Important: To complete the tutorial, your account, the vault, and the application that you will register in this step must all be in the same Azure directory.
Three important pieces of info about my configuration:
Since our team is using Azure Active Directory B2C and not Azure AD, the AAD B2C instance is in a different directory, as shown in the top right corner of the screenshot below.
Our web app (name MyApp) is registered to AAD B2C within Directory2, as shown by the circle in the middle of the screenshot below.
However, the actual Web Application resource is in Directory1, as shown in the screenshot below
How should I move forward? Should I move the KeyVault & MyApp to Directory2 or move the AAD B2C instance to Directory1?
Unfortunately, You cannot use Azure KeyVault for Azure AD B2C Application.
Why?
1.For your sceanrio,generally,we can secure Azure Web App with Azure AD and Azure AD B2C. However, for Azure AD B2C application, the key can only be generated by Azure. You cannot use a custom key for AAD Application.
2.AAD B2C application is not with a service principal. If you want to authorize the application to use the key or secret, you may use following powershell scripts:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToKeys decrypt,sign
However,this powershell cmdelet needs to speicfy one Serviceprincipal Name. AAD B2C is not with a service principal. So,you cannot use this powershell for AAD B2C App.
So,even you can let the key vault and AAD B2C application are in a same tenant, but you still cannot use the key vault for AAD B2C.
My Suggestions:
Although you can integrate AAD B2C to do authentication/authorization for your Azure Web App, but this feature is designed for AAD,NOT Azure AD B2C. However,you can still integrate AAD B2C with your web App, but you cannot use keyvault for your B2C app. I'm sorry for this suitation, but B2C is for develop environment,it's not likes AAD.
If you mind use generated key by Azure and need this feature, you can post your idea in this Feedback Forum, Azure Team will review it.
Hope this helps!
Im trying to start working with the v2.0 endpoint, I registered my web app in the new Application registration portal, but I cannot find it anywhere in my Azure AD. Should I not be able to see it there?
I tried creating an app both with my work azure account, and with an account I created specifically in the tenant. Neither works. Am I missing something?a
You could find it Azure Active Directory-->Enterprise applications-->All applications.
But you only could see Azure AD only applications. Currently, Converged applications could not see on Azure Portal, please refer to this feedback.
Update from comment:
The blade enterprise applications represents service principals in the AAD tenant, not applications. Once you sign into the app & consent or manually provision a service principal, you'll see it in this list.
Our company is considering using AAD B2C as the backing store for our SaaS user accounts. Our plan is use Resource Manager templates to deploy the Azure infrastructure (web, storage, sql, etc) for each client. AAD B2C will be part of that if this works out, but as of now there doesn't appear to be a way to include AAD B2C in resource manager templates.
My view of the intent of the B2C product is that it serves as a replacement for the auth and user store components of an app, and should therefore be considered infrastructure. Right now the hierarchy between AAD and resource groups in the new azure portal doesn't reflect that - resource groups (and their resources) appear 'under' an identity in an AAD account. But why is that? Is an AAD a parent to a resource group? I'm trying to understand how the two fit together.
If AAD B2C is really intended to serve this purpose when it leaves preview, it will need to support automation. After a quick search I can't even find code samples to provision a new directory, let alone do so using Resource Manager templates.
Am I looking at this all wrong?
Currently there is no way to automate the creation of an AAD B2C tenant like there is also no way to automate the creation of an AAD tenant.
After you created a tenant you can access it programmatically via the Graph API. You can read more about this in the documentation: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/.
The first paragraph of this documentation mentions the following:
Azure Active Directory (Azure AD) B2C tenants tend to be very large. This means that many common tenant management tasks need to be performed programmatically. A primary example is user management. You might need to migrate an existing user store to a B2C tenant. You may want to host user registration on your own page and create user accounts in Azure AD behind the scenes. These types of tasks require the ability to create, read, update, and delete user accounts. You can do these tasks by using the Azure AD Graph API.
Caution: at the point of writing this is still in preview so the API can change any time and you have no SLA.
For the latest status about which Azure services support ARM you can read this page: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-supported-services/