Azure AD B2C and AD Connect - azure-active-directory

I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!

The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.

Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.

Related

How to allow external users to sign in to an app that is secure by Microsoft identity using Azure AD

I have an app (ASP.Net Classic) that is using Azure AD authentication. Now, we want to allow user outside of the organization to sign in. I read few document B2C and B2B, but I am unable to see which one to good for me.
I am looking that members in the organization should sign in and doesn't have to create new account. One of the option B2B suggested that to add user to in AD as a guest user but this is the manual process, it would be good if it can be automated. Also that doesn't describe how user would send the request to for login info.
It depends on your use case.
Imagine a large company. They have Azure AD for their employees. Now they want some suppliers to have access to their billing system. Those suppliers are guest users. That's B2B.
For guest users, an admin can send an invitation email that contains a redemption link.
B2C is for the customers of the company. They use the company's e-commerce system. They do not need access to the billing system.
B2C is self-service i.e. these users self-register and can change their profile or reset their password.

AADSTS50020: User account does not exist in tenant

I was able to register an app created by another tenant as an enterprise app of my own tenant.
I signed in to the app as a user, but I got the following error.
AADSTS50020: User account 'test001#testdomain001.onmicrosoft.com' from identity provider 'https://sts.windows.net/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/' does not exist in tenant 'testdomain002' and cannot access the application '55555555-6666-7777-8888-999999999999'(OneDriveAPIBrowser_test001) in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
How can a user of another tenant use it without the application creator tenant performing any processing?
If the Azure AD app is registered in Tenant A and you have add it as an enterprise app into Tenant B, you should use a user from Tenant B to sign in.
In your case, if the registered app is in testdomain001 and added into testdomain002, you need to use a user from testdomain002. User "test001#testdomain001.onmicrosoft.com" is not allowed to sign in to the app in testdomain002 unless it is a guest user of testdomain002.
I tried the steps below and it worked for me.
Go to azure.microsoft.com
Select Free Account.
Sign in with your email.
It will detect that you already have a subscription and give you the option to use it.

Combining custom registration and Azure AD?

I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.
I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.
The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.
I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?
Do I need to use a federation application as a middle-man such as Ping Identity?
Thanks for any help!
Using e.g. Ping as an IDP generally won't help because Azure AD is already an IDP.
Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.
And you can only sign-in with an email address because it's designed for domain-joined corporate customers.
You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.
You could then federate Azure AD and Azure AD B2C.
Your other option is to use an IDP that does allow authentication via an API e.g. Auth0.
Then you could have a custom login page that authenticates as appropriate.
Using Ping ID and other similar products is the fastest way to utilize SSO.

Can we use Face ID and NFC cards with Azure AD B2C login to avoid user submitting credentials every time they login?

We have several Azure AD B2C applications for user login. We are thinking of implementing hardware login to avoid user to login in credentials (username and password). They can just get logged in with NFC cards or faceId
An example of an app, which has been integrated using AppAuth for iOS with Azure AD B2C and uses Touch ID to protect access to the refresh tokens that are issued by Azure AD B2C, can be found at https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/AppSamples-iOS-TouchID-master.
You should be able to extend this to Face ID.

Migrating users with social login to Azure AD B2C

I'm trying to migrate user accounts from our database to Azure AD B2C following an article and simple app that's coupled with the article -- see below.
All user accounts we have in our database used social login e.g. Google, LinkedIn and Facebook. I'm looking at the code in the migration app and I don't see any reference to user's social login. I don't see any properties for login type or anything like that.
How will I specify how the user registered in our system and has been using his/her social account to log into our app? The migration structure seems very simple i.e. just name, last name, email, etc.
I do NOT have to use this app but not sure if there's a simpler way to handle this.
The article I'm following is: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-user-migration
And here's a link to the simple migration app: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/aadb2c-user-migration
For a social account, Azure AD B2C finds the user object using a composite key that includes the social user identifier (e.g. the "id" claim that is issued by the social identity provider) and the social identity provider name (e.g. "facebook.com").
This composite key is stored in the "alternativeSecurityId" attribute of the user object.
Currently, you can't read or write this "alternativeSecurityId" attribute of the user object using the Azure AD Graph API, which means you can't migrate the social accounts from your existing identity store using a similar method to that described in the user migration guide.
I don't see any reference to user's social login. I don't see any
properties for login type or anything like that.
About migration: Azure AD B2C can let social accounts to sign up and sign in . For your scenario, after migrating users to Azure AD B2C, the users from any social identities can sign in the Application in your Azure AD B2C. (You can also change your policy to check and set the user migration status.)
About where users information are stored: After migrating, all the users can be seen in the Users and Groups of Azure AD B2C. Additional,There is an App called b2c-extensions-app, is visible in App registrations. It is used by the Azure AD B2C service to store information about users and custom attributes.
About Login type: Also, you may want to know which properties for login type you can choose, Email address or Username. This configuration can be done in Azure Portal.
Go to Azure Portal > You B2C tenant > Identity providers > local accounts > Choose Email or User name for sign-up and sign-in.
How will I specify how the user registered in our system and has been
using his/her social account to log into our app? The migration
structure seems very simple i.e. just name, last name, email, etc.
Yes, the migration is very simple. If you want to specify how the users to sign-up and sign-in , you need to built-in Sign-up or Sign-in policies for those users. Also, you can use Custom policies.

Resources