Azure AD B2C Custom identity provider - azure

I am testing azure B2C AD, I followed this tutorial:
https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/
I have tested login with "local account" and Facebook everything is working perfect. I see that I can add a custom identity provider.
Can I add another Azure AD (not B2C) so that the users from that AD can login into my web application ?

Adding another Tenant or allowing any other AAD Tenant are currently on the backlog. It is not possible to do those at this time.
Please do share your scenario so that we evaluate it in the planning.
thank you,
Vikram.

Related

Customising Azure API Management Developer Portal's user management

I am trying to customize the Developer Portal in the APIM.
One thing that is important to me is user management. I want to use Azure AD B2C to handle all of my user Authentication/Authorization and remove DevPortal's own sign-in/signup section.
I could get rid of those widgets but the User profile is the issue now. My problem is not about widgets.
I don't see anywhere to update the user profile.
User info is so limited (user_name, last_name)
I want to update users from AD B2C and see that extra info in the portal. Is there any way to update user dto in the portal?
I want to update users from AD B2C and see that extra info in the
portal. Is there any way to update user dto in the portal?
One of the workaround you can follow to achieve the above requirement,
To customize the APIM developer portal by adding authentication method as Azure AD B2c we need the following perquisite first;
Create AzureAD B2c tenant.
Add user flow (Signin-signup policy)
Register an application in that tenant .
Add secret and copy the value to use in next .
So, To remove the identity as username and password you can delete them as shown below;
After creating all the aforementioned perquisite now click on Add and select the identity as Azure AD B2C and provide the required details.
For e.g;-
Select the identity as Azure AD B2C and provide the required details;
After done with the above steps Navigate to Developer portal and click on sign to check if the Azure AD B2C authentication is added or not.
For more information please refer this Tech-community blog |How to integrate Azure Active Directory B2C into Azure API Management Developer Portal.
And this ;
MICROSOFT DOCUMENTATOIN| How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management .
Similarly, If want to authenticate with Azure AD we can do in the same way by selecting identity provider as Azure Active directory.

Can I Use ADConnect to migrate users to Azure B2C

The documentation for Azure Active Directory B2C states ADConnect can’t be used to migrate users. I believe this is referring to the native store.
“No, Azure AD Connect is not designed to work with Azure AD B2C.”
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
But can I use ADConnect if I configure Azure Active Directory as an Identity Provider?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-azure-active-directory
If you setup sync to an Azure AD from on-prem AD with AAD Connect,
and then connect that AAD as an identity provider to B2C,
it will work.
Note you should use another Azure AD tenant for this, OT the one underneath the B2C tenant.
It also works quite nicely at least based on my short testing that if you have a single IdP in the sign-in policy, the B2C pages don't even show up.
Of course the first time, users will have to "sign up" to the B2C tenant with their AAD account.
Technically the sentence is correct that you can't migrate users to B2C with AAD Connect, but there is this roundabout way of doing it.
Technically the users are not migrated to B2C, but we migrate them to a place where they can be utilized from by B2C.

Azure AD and Azure B2C for users

Our organization has a on premise Active directory.For few of our applications we want to implement authentication mechanism using Azure AD. Following is the requirement:
1) Organization users will be authenticated by Azure AD
2) External users will be authenticated by Azure AD B2C
3) Whenever an external user is trying to access the application, application will redirect the user to B2C login page.
Can anyone help me with steps for the solution?
Also, is there any issues to implement the security mechanism using Azure AD and B2C if the application resides in AWS?
For a specific sample of how to implement these custom policies, see Woodgrove Groceries demo, which enables users to sign in with either:
An "individual customer" account (i.e. a local account that is managed by Azure AD B2C or a Google or Microsoft account that is federated with it); or
A "business customer" account (i.e. an Azure AD account that is federated with Azure AD B2C); or
A "partner" account that is a direct federation between the end-user application and Azure AD (where Azure AD B2C doesn't act as an intermediate federation).
For your use case B2C custom policies are perfect fit. you can get start on custom policies from https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
1) Organization users will be authenticated by Azure AD
You can integrate this in custom policies. Example: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
2) External users will be authenticated by Azure AD B2C
Once you add custom policies those will allow you to login users from external network/ social IDPs
3) Whenever an external user is trying to access the application,
application will redirect the user to B2C login page.
It's all about configuration. If you configure properly it will take you to B2C login page. If you stuck while integrating drop comment here.
Also, is there any issues to implement the security mechanism using
Azure AD and B2C if the application resides in AWS?
I don't think you will face challenges. Cloud redirects will happen and works fine with B2C too.

How to configure SSO for Azure AD B2C?

As per Azure AD B2C documentation we can configure SSO for Azure AD B2C application. We want our user to do self-registration for the application thus opted for AD B2C.
However after creating B2C tenant account and configuring all the policies. I am unable to find option to configure SSO. Since after 30th Nov 2017, Active Directory will only be available in new portal. Kindly provide reference wrt new portal.
. Any help will be appreciated.
Thanks in advance.
SSO integration in Active Directory is totally different from SSO integration in an application through AD B2C. It took some time for me to verify all the links and steps. Hope this will help others.
Below are the steps to configure SSO in AD B2C. Create AD B2C and configure all the policies.
Once you have configured all your policies go to ALL policies node, it will list all the present policies in your application. Then click on singin policy. Alternatively you can directly click on sign in policy.
Once you click the EDIT option, you will see the option for 'Token, session and single sign-on configuration'. Configure those and you are done to use SSO.
For more details about the token, session and sso config please refer here
Create couple of application to verify that the SSO is working fine.
Happy Coding.
As the document in the your question said,if you have multiple applications and policies in your B2C tenant, you can manage user interactions across them using the Single sign-on configuration property. You can also add external identity provider like Google, Facebook and etc.
If you want to know how it works and how to configure SSO in Azure AD B2C, you can refer to this document.
Also, If you want to configure SSO for applications in your B2C tenant(the Directory).
Go to Azure portal > Enterprise applications> Add Non-gallery applications or in applications in Gallery.
After adding apps in Enterprise applications, you can select your app and enable SSO for it.
Hope this helps!
Update
Adding custom applications requires Azure AD Premium.
You can also active Azure Active Directory Premium free for one month.
Now, you can add your own custom applications in Enterprise Applications and then configure SSO for it:

Azure AD B2C authentication hybrid

I created a B2C AD in my developer account on Azure.
In this environment I have users created in my personal AD, and users in AD B2C (where the user can log in with: twitter and facebook).
I found an ASP.NET project that logs in to these two ADs, but with two types of logins, one for normal AD and one for AD B2C. And from what I've researched, the only way to log in to these two different ADs is this way.
Does anyone know of a way to make a single login in these two ADs?
You could do it now with custom Azure AD B2C policies. It is however quite an advanced scenario.
Using them you could put all authentication behind B2C. User could choose to sign in against your Azure AD or through Twitter or Facebook on the B2C sign-in page instead of your application.
Custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Documentation on using Azure AD as a provider in B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
GitHub repo with examples: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies
Thanks for the quick response.
I tried to do this but could not find the settings needed to put Twitter, Google and Microsoft. For Facebook and other AD worked.
I found a post, that Microsoft will soon make available an "Identity Provider" to validate the user in another AD.
For now, I'll put two Sign-in in my application, one for the company's AD and another for the B2C AD.
I am now looking for a way to get the user's profile in AD (Name, First Name, Last Name, Job Title, Departament, ....).
Once this is done, I'm going to make a DEMO and publish it to github, I think this will help a lot of people.

Resources