My current directory doesn't have a B2C Tenant, so following this MS Doc to create one for my existing SPA app to fully utilize AZ AD B2C, such as allowing Apple, Google and Twitter authentication.
Registered AzureActiveDirectory in current (Default directory)
Upon creating a new AZ AD B2C tenant, entering my current domain name resulting "Already in use by another directory", I'm forced to create it in a new directory.
Would Suggest you to try with another uqniue or weird name, Might be the custome domain you are trying to to use its already been using by another Azure AD tenants.
Getting the same error like you while creating the Azure AD b2c tenants.
If I have given some unique name like this able to validate successfully.
Note : If you are trying to create a B2C directory rather,you need to have a subscription associated with the account.
You can refer also refer this Microsoft Q&A Discussion where someone already encoutred the same issue.
You can also refer how to create a Azure AD b2c Tenant in default Azure Active Directory Tenant.
It seems a bit weird but it actually worked for me and I could make another tenant with the same name
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
Related
Scenario
We have an app that will be used by schools. Each school has an Azure AD instance that contains their staff and student users. These users have access to Office/Teams etc. through their school licenses. We also need to support parents having accounts and logging in.
For the parent accounts we would need to use something like B2C to allow them to create "local accounts" or sign up with their own Microsoft/Google/Facebook Accounts.
For student and staff accounts we would like to allow them to sign in with their AAD accounts.
My understanding is that this can be enabled with AADB2C by adding AAD as an identity provider within the B2C configuration. B2C also supports "IDP pass through" which allows you to get the access_token of the third party IDP being used.
My question is can this functionality (or indeed AADB2C at all) be used to get an access token that would allow you to access the signed in users MSGraph API (for whichever school it relates to)?
If not would that mean having to set up a B2C directory for the parent accounts and manage these completely separately from the AAD accounts that the school are managing for students and staff?
I've done a lot of reading and honestly, the more I read, the more confused I get xD
Totally can do that, heree a sample : https://github.com/azure-ad-b2c/samples/tree/master/policies/B2C-Token-Includes-AzureAD-BearerToken
I've built a react app (using CRA) and am attempting to secure it using MSAL.js, granting access to only those people within an Azure AD Security Group. The following doc suggests it might be possible to do just this through configuration, by setting the 'authority' property:
https://learn.microsoft.com/en-gb/azure/active-directory/develop/msal-js-initializing-client-applications
e.g. Authority: https://login.microsoftonline.com/<tenant>
where the is a "GUID representing the TenantID property of the directory used only to sign in users of a specific organization"
What does 'directory' mean in this context?
Should I be able to use the Tenant ID of the Security Group here too?
What does 'directory' mean in this context?
It means the Azure AD Directory, in general, we also called it Azure AD Tenant.
You can find the Tenant ID in the portal -> Azure Active Directory.
Should I be able to use the Tenant ID of the Security Group here too?
Yes, you could use the Tenant ID in your case.
I have a case where I need to list all Azure Active Directories I'm a member of and those I'm invited as a guest user to. Our application is multi-tenant where each tenant have their own Azure Active Directory, and one user can be invited to access the application as another tenant, and should be presented with a UI to switch between tenants/directories like we can do in the Azure Portal.
The first part can be queried using the Azure Resource Manager API for listing tenants which I'm a member of (https://learn.microsoft.com/en-us/rest/api/resources/tenants/list). The response from this API do not include tenants for which I'm only invited as a guest user to though.
Are there any API's that I can call with an access token to query for all Azure Active Directories I have guest access to?
Btw: I'm able to switch between the directories I'm a member of seamlessly using the ng2-adal library, by explicitly setting the tenant in the ADAL configuration object and invoking login() on the ADAL service.
Update:
The answer to my question is that guests must complete the invitation process by following the link in the e-mail that they receive from Azure Ad.
Are there any API's that I can call with an access token to query for
all Azure Active Directories I have guest access to?
Of course you can!
For your case, I also test in my lab with an account that federated from on-premise and Succeeded. So, You it seems like your account is not working in the second tenant.
You can use code grant flow with Azure REST API or implict flow to get access token with has delegated permissions for your account.
I did a test and succeeded:
Hope this helps!
After creating my B2C Tenant in the legacy portal, when I navigate to the new portal I get the following error:
Verify B2C feature failed: {"message":"CorrelationId: 4645f854-4099-45b3-b2e5-b1b3c0e47353; Your tenant 'XXXXX.onmicrosoft.com' is not authorized to use b2c functionality. Please ensure your tenant is whitelisted"}
So how do I get my tenant whitelisted? I created a second tenant and got the same result.
We do not have whitelisting constraint for B2C Tenants and the error message needs correction. Thanks for reporting and we will fix it. You are hitting the case where user trying to access is not a global admin for the tenant yet. Can you check if you are marked as global admin for the tenant and/or we may have a timing bug on our side? And if you are shown as admin please retry clicking on the Manage B2C Link on the tenants you already created.
We have a multi-tenant Saas application providing sign in using our username/pwd authentication system and using Azure AD (OAuth 2.0 flows). When a user signs in using Azure AD, we can get the user's profile using https://graph.windows.net/{tenantid}/me. We want however to get more information using the memberOf or getMemberGroups operations to retrieve the user's groups in the tenants directory, to map specific groups from the tenant to an organizational structure in our application. However these operations always fail with a Forbidden statuscode. Are we missing required permissions or is it just not possible to query for the groups and roles of another tenant.
Thanks in advance
This is totally possible, but today requires that you request the "Read Directory" permission. This permission does require and admin of the tenant to consent. We are looking at adding some additional fine grained permissions for Graph API that will allow users to consent (to get group membership information).
Another option for you is to configure your application to request group membership claims (which should appear in any user or JWT token). You can do this by going to the azure management portal and getting to your app's config page. From there download the application manifest file and update the groupMembershipClaims property. You can see most of the properties in the application manifest described here: https://msdn.microsoft.com/en-us/library/azure/dn151677.aspx. Once updated, you can upload this app manifest file, and this will configure your application accordingly. Once done, AAD will issue group membership claims in the token. Dushyant has written a nice blog about authorizing access to a web app, using group membership claims or app roles. You can find it via Alex Simons blog post here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
HTHs