Azure Active Directory B2C deployment via resource manager (or code) - azure

Our company is considering using AAD B2C as the backing store for our SaaS user accounts. Our plan is use Resource Manager templates to deploy the Azure infrastructure (web, storage, sql, etc) for each client. AAD B2C will be part of that if this works out, but as of now there doesn't appear to be a way to include AAD B2C in resource manager templates.
My view of the intent of the B2C product is that it serves as a replacement for the auth and user store components of an app, and should therefore be considered infrastructure. Right now the hierarchy between AAD and resource groups in the new azure portal doesn't reflect that - resource groups (and their resources) appear 'under' an identity in an AAD account. But why is that? Is an AAD a parent to a resource group? I'm trying to understand how the two fit together.
If AAD B2C is really intended to serve this purpose when it leaves preview, it will need to support automation. After a quick search I can't even find code samples to provision a new directory, let alone do so using Resource Manager templates.
Am I looking at this all wrong?

Currently there is no way to automate the creation of an AAD B2C tenant like there is also no way to automate the creation of an AAD tenant.
After you created a tenant you can access it programmatically via the Graph API. You can read more about this in the documentation: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/.
The first paragraph of this documentation mentions the following:
Azure Active Directory (Azure AD) B2C tenants tend to be very large. This means that many common tenant management tasks need to be performed programmatically. A primary example is user management. You might need to migrate an existing user store to a B2C tenant. You may want to host user registration on your own page and create user accounts in Azure AD behind the scenes. These types of tasks require the ability to create, read, update, and delete user accounts. You can do these tasks by using the Azure AD Graph API.
Caution: at the point of writing this is still in preview so the API can change any time and you have no SLA.
For the latest status about which Azure services support ARM you can read this page: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-supported-services/

Related

Azure AD B2C and organizational groups

Consider the following case, for my application:
I have a website
The website sits on top of an azure api and gets data from cosmos DB
The data from cosmos DB is specific for different organizations
Different organizations should be able to have an "admin" appointed by me
The organization "admin" should be able to add his colleagues under the same organization
The users within a particular organization should only be able to view the data specific to their organization
Considering the above use-case, I have thought about using Azure B2C because:
Everything is already inside azure
I don't want to do security myself
However, I am unsure, if it is actually possible to achieve this with azure B2C? I can't seem to find any similar use-cases in the AD documentation. Hence why I start to think, that I'm going in a wrong direction...?
Therefore, can Azure AD B2C offer, what I want to achieve? (do I need a tenant for each Organization)
In case, Azure AD does not offer support for my use-case, what would you then recommend me to do?
As a white-label service, Azure AD B2C cannot be used as a built-in security provider for other Azure services without writing custom code to translate whatever authorization model you maintain in Azure AD B2C into access patterns for CosmosDB or other Azure services.
CosmosDB does have it's own in-built notion of users and permissions which you might map in some way (using custom code) to Azure AD B2C users. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data#users
You could also use CosmosDB's integration with Azure AD (not B2C) for RBAC controls: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
Finally, Azure AD B2C does not provide any out-of-the-box administrative tooling for the kind of delegated user administration model you described. Again this would need to be a custom coded admin UI or you'd need to use a third-party solution such as Saviynt for delegated administration: https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-saviynt

How to configure my AAD for a stand-alone web application when using AAD for organization?

We have an Office 365 tenant that we are using for our basic AD functions (joining desktop PC's, authentication, etc..) for our organization.
We're also building a stand-alone mobile and web application. We have an Azure subscription we've tied to our primary AAD tenant. And we're likely to have a separate dev/test subscription.
We're wanting to join our applications resources to an AAD for management purposes, but my question is should we join these to our regular AAD? I don't think that's wise. So what are the alternatives? Create another AAD? We plan to use Azure B2C for the web and mobile authentication.
Do we create another tenant? Partition our primary tenant off in some way (like traditional AD forests and trees)?
I'm trying to keep the application isolated for security purposes from our organizations usage.
FYI, we do not have any on-prem legacy AD.
This depends on what the purpose of your applications are. if you are selling your application and creating a multitenant application, etc. There may be a case for separate tenants (B2C).
But in general, try to avoid creating too many tenants, it can become a management nightmare.
Now to answer some of your specific questions. When you create azure b2c, it is actually a new AAD Tenant, with a different domain name.
In terms of the dev/test subscription, it should be a subscription tied to the same AAD tenant. You would not create a separate tenant for that. unless you absolutely need to test things with a totally separate Directory (eg, editing random Global Azure AD settings that you don't want to do in your primary tenant) but again, that means it becomes a management nightmare as 1: you don't want to create multiple users in different tenants for the same person. This means you'll need to use azure b2b, to federate users and setup separate permissions, etcetc.
In azure Ad you cannot create child domains, that concept is different from on-prem AD. its just not how it works.
Here's a good read on some of the rarer scenarios to create more tenants:
https://itconnect.uw.edu/wares/msinf/aad/new-aad-tenant/
If you plan to use B2C then the app registration should be done there. You can later federate with your primary AD tenant.

Linked existing b2c tenant to my azure subscription but not able to create resource?

Getting error You are currently signed into the 'Azure AD B2C tenant' directory which does not have any subscriptions. when I try to create a resource in Azure AD B2C.
Please help I am new to Azure
Switch back to the directory where you have your subscription and create the resources there.
Don't take my answer as definitive, since I'm still a newbie, but at this point my understanding is this: B2C needs a new tenant because of the way it is designed (it isn't just an add-on for AD) and you link it to your subscription for billing purposes. But that's it. You don't need to create the resources for your app there, although I guess you could do it if you get a new subscription or transfer another one.
I already created a mobile app in my default tenant and successfully used the linked B2C tenant for authentication and I guess you've done that already. But since this was one of the few results that I got when I googled the message you quoted, I think it's worth sharing.
Have you done this ?
The Azure subscription has a trust relationship with Azure Active
Directory (Azure AD), which means that the subscription trusts Azure
AD to authenticate users, services, and devices. Multiple
subscriptions can trust the same Azure AD directory, but each
subscription can only trust a single directory.
Following link might help (check To associate an existing subscription to your Azure AD directory)
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Azure AD B2C needs a Microsoft Azure Subscription for billing purposes. You're going to need 3 things to make that message go away:
Azure AD Tenant
MS Azure Subscription
Associate your Azure AD B2C tenant to the MS Azure Subscription
It's a bit strange as Azure AD B2C tenants feel very similar to Azure AD (and run on a lot of the the same infrastructure behind the scenes) ... but from a billing standpoint, they are almost treated like MS Azure resources (e.g. VM, App Service, etc)

Migrate Azure AD to a new subscription

We have an Azure AD which is managed by a third party. Our domainname is validated against it. We are now bringing this in-house and want to know the easiest way to move it? It doesn't have many objects, so happy to recreate them but to do so, I need to validate our domain against this Azure AD instance. If I do this, I am concerned it will break the existing which would be a problem as we have users using it. Can you have a single domain validated against two directories (no on-prem integration). Also, is there an easier option? I don't mind users having to reset their password.
No, you cannot have one domain name verified in two Azure AD tenants.
The title of this question indicates a common misunderstanding is at play here: Azure AD tenants are not resources within an Azure subscription. If anything, it's the other way around: an Azure subscription is associated to an Azure AD tenant. Read more on the relationship between an Azure subscription and an Azure AD tenant at "How Azure subscriptions are associated with Azure Active Directory", and on how to transfer Azure subscriptions across Azure AD tenants at "Transferring ownership of an Azure subscription."
If there already exists an Azure AD tenant with your domain name, you should simply take control of the tenant. If you already have access to a user account that is a tenant administrator, then you simply need to evict (demote, disable or delete, depending on your situation) the users from the third party. If you don't, you can ask the third party to make your user an admin. (And if that is not possible either, you can contact support to prove ownership of the domain name.)

How can I programmatically retrieve the domain name of the Azure Active Directory in a given subscription?

I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect

Resources