I've been evaluating Azure Active Directory B2C as a solution for an identity provider I need for an upcoming project.
During my evaluation I noticed the following behavior that I am not sure should be possible:
I am in my B2C tenant and I invite a new guest user. In this case it is for a different email address that I control. This email address has no association to this B2C instance nor the parent AD instance, the Azure account or anything related. It is a throw away account I am using for testing.
I get the invitation sent to that address and log in through a different browser in incognito mode. I create my account and complete that flow.
Now here is where I am slightly concerned with security:
Logged in as this user I am able to do the following:
Log into the B2C instance and see some top level info such as the TenantId, etc...
I do not see other users BUT I can click on the "New Guest User" button ("New User" is greyed out) and can attempt to create/invite users. I am blocked from all the operations I tried but it seems strange to surface this UI.
Even though it said the operation was blocked my invitation to another email address I control actually went through. I was able to go through the invitation flow. There were some errors and it even said the invitation code was not valid... but despite this the invitation completed and I was able to log into the tenant management UI with this new user.
This user was also able to create invitations.
I also see this new user that was invited by the guest in my user list logged in as the account admin.
So my questions are:
Is this by design? Why?
Is this a possible bug?
Can this be blocked?
Why can B2C guest users invite other users and initiate the flow?
Why can B2C guest users even log into the tenant management site?
I can't imagine why a default scenario would allow new users that have not been given any privileges to view your tenant and invite other guests. In my scenario this should not be possible.
The idea of guest users in B2C is to invite other people who can be admins.
These people are not local users.
If you want to invite people to be local users, use a magic link.
Related
Are there any differences between logs for sign-in to access one’s own tenant resources and resources of a tenant where the one is invited as guest?
A customer would like to know if they can check their employees activity on different tenant where their employees are invited as guest users by analyzing AAD sign-in logs on Azure Sentinel.
The following is the summary of what I would like to ask.
Activities of the user1#contoso.com that belong to Company1.com will only be logged in company1.com logs.
So, an admin from contoso.com will not be able to track them directly.
However, through Azure Sentinel, you can collect logs from multiple tenants and if someone from company1.com authorizes Sentinel then your admin can see the logs in a single portal.
We have an application which uses AAD B2B collaboration to invite users. These users are created as guest users in our AAD. This all works great:
Users that have an AAD/Office 365 can use their normal credentials to sign in.
Users that don't have an AAD/Office 365 create their account in the invite redeem process, and can use it to sign in. Microsoft stores these acounts in an external, for us hidden AAD.
Situation:
An organization uses our application. This organization doesn't have an own AAD/Office 365 yet. We invite some employees of this organization in our AAD using their email addresses. They get guest accounts in our AAD.
After a while this organization gets its own AAD/Office 365, for their existing domainname. This domainname was previously used in the email addresses in the invite redeem process.
The AAD admin of the organization creates the AAD, and immediately sees existing user accounts: all the accounts that have been invited are shown in the AAD. He didn't expected this when creating a new AAD, and he doesn't know where they come from.
It appears the external, for us hidden AAD, has become visible to the AAD admin.
The AAD admin might decide to delete these accounts, to start with an empty AAD. As a result the employees aren't able to sign in anymore in our application.
Our application uses the Microsoft Graph API to invite the users.
Is there a way to mark the users in the external hidden AAD in some way to make clear where the accounts are coming from? Like mentioning our organization/application in an existing field?
So to be clear: We don't want to set properties on the guest account. We want to set properties on the user account that an AAD admin sees when he has created the AAD. We want to make clear he must not delete this user, because it's created by/for application X.
No, this is a feature of Azure AD.
A domain owner can choose to take over the hidden Azure AD if they choose to create one later.
They control the domain, and thus control the users so it is up to them.
Now of course if you create an AAD Guest user with a Gmail account, they don't actually get added to a huge hidden Google Azure AD.
If AAD thinks the account is a social account, currently they create a personal Microsoft account transparently for that user (so the user always is in control of their account).
So if you invite users using their work emails, you must expect their domain owner to have control over their users' accounts.
AFAIK, there is no property that you could set.
Our application is mainly used by internal users, who authenticate through AAD. Some pages need to be accessible to third-parties. Right now we are using custom tokens, but would like to switch to Azure AD B2B Invite API.
We just did some manual test runs and it seems to work exactly as expected, except for one thing: when inviting my standalone email address, I was asked to create a Microsoft account, which is fine. However, to do so, I had to first verify my email address (code sent to email) and then my phone (code sent via sms).
Is there any way to disable ideally both or at least the phone verification?
The only resource I found so far states that it's possible in B2C, which is not what we want.
The standalone email addresses has to undergo the invitation redemption process. In order to be able to invite people without redemption in Azure AD B2B you need an account with directory read permission of the partners tenant. Then you can add that user to your tenant with "Guest Inviter" role. Then that user can add the users to your tenant without invitation redemption process. Refer: Azure AD B2B: How to bulk add guest users without invitation redemption.
I have 2 tenants:
One for my organization, where I manage users (A)
One that I manage the applications and permissions (B)
My webapp is on tenant A and I configured authentication on the portal using Azure AD on tenant B.
On tenant B I registered the application with only one permission which does not require admin consent: Windows Azure Active Directory > Sign in and read user profile.
When the user logs in he gets the following error:
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I believe that this error should not be raised, since the only permission required by the application doesn't required admin.
EDIT
This is the URL that I am redirected to when I try to access the application when I'm not logged in
https://login.microsoftonline.com/d6ac45af-3289-4f79-a826-27824e1c467d/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Ftechnipfmc-tools-app-test.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=d340f0ed-5eb3-43e8-9a50-c449649f3ee1&scope=openid+profile+email&response_mode=form_post&nonce=1895ec0ffef64447bbb712bdae61c7fb_20170521070654&state=redir%3D%252F
EDIT 2
I found out a solution here:
As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. This will prevent the consent dialog from appearing for every user in the tenant. You can do this from the Azure portal from your application page. From the Settings blade for your application, click Required Permissions and click on the Grant Permissions button.
I don't know why had to do that since I'm only using permissions that don't require admin consent.
There are several potential problems with your setup:
Your authorization request is set to a specific tenant, the one with tenantId d6ac45af-3289-4f79-a826-27824e1c467d. Only users from that tenant will be able to log in. If this tenantId corresponds to the one for your organization, where you manage users (A), then disregard this point. Otherwise you should either replace this with the tenantId of that tenant or with common which will allow users from any tenant to sign in.
Your application is not multi-tenant. For testing purposes, I replaced the tenantId with common and wasn't able to use this with my test tenant due to the following error: AADSTS70001: Application with identifier 'd340f0ed-5eb3-43e8-9a50-c449649f3ee1' was not found in the directory <MY_TEST_TENANT>. This indicates that the application isn't configured as a multi-tenant application. This is something you must explicitly turn on.
Your organization's tenant (A) might have disabled the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be set up in the tenant. To test to see if this is the case, address points #1 (use /common/) and #2 above and try with any other tenant. If you are able to consent with that other tenant but not your organization's tenant, then you'll know that admin consent is required for your organization.
You should check out the How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern article as it explains all of the points above in more detail.
I think that error appears when you are passing "&prompt=admin_consent" in the Login URL.
Even though you are not requesting Admin permissions, if you pass that query string, it will try to show you a consent dialogue so that you can consent on behalf of the whole tenant, which is an operation that only an admin can do.
Hi we are looking into using a AAD as identity provider for a B2B SaaS application.
As not all future users of the application will have a Office 365/AAD account and tenant, we are looking into creating it as a SingleTeant application and provision users in a internal directory for this purpose (user1#ourappdir.onmicrosoft.com and so on).
However as far as i can figure this will allow any user to get a list of all other users, using the graph api for example.
Can i lock this down in any way, so a user will only be able to see info about him/her self and not anything else, no matter how they try. (Portal, graphApi, powershell...)
By default, if you use a user account in the Directory role as User to generate the access token, and request the resource in graph, then this token only has the permission for the user himself.
There are two possible cases, allowing you to see all user profiles from graph.
You called Microsoft Graph in a service or daemon app
The user account you used to generate the token is in the role of administrator in your tenant.
You can try to use a user account in User role to continue the test. You can refer to https://learn.microsoft.com/en-us/azure/active-directory/active-directory-users-assign-role-azure-portal for how to assign a user role.