I understand that Azure AD B2C has an equivalent in AWS, which is AWS Cognito User Pool.
But it seems there is nothing equivalent to the Azure AD B2B. Is my understanding correct?
With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization
Guest users sign-in to your apps and services with their own work, school, or social identities
There is no equivalent feature in AWS to Azure AD B2B
Related
Website webapp1.com has registered users with its own IdP implementation.
There are other websites such as webapp2.com, webapp3.com, webapp4.com (different domain).
A logged-in-user user1 of webapp1.com wants to do a SSO login to webapp2.com or webapp3.com or webapp4.com.
user1 has accounts in webapp2.com/webapp3.com/webapp4.com as well.
Is there a way to implement this using Azure AD or Azure AD B2C?
This is possible using PingIdentity.
https://www.pingidentity.com/en/resources/blog/posts/2021/sso-vs-federated-identity-management.html
Tried Azure AD and Azure AD B2C.
There is no documentation found how this could be done.
As long as the web apps connect to the same identity provider/s, the user will get SSO if they visit another app and pass through those same identity providers. With AAD this is the default and only behaviour. With AAD B2C this is the default behaviour, but can be restricted.
I want to build a public facing SaaS website. My users will either be:
enterprise customers and I will want them to be able to login with their corporate credentials.
non-enterprise customers. I will want the ability for them to register and use local credentials.
What would the solution look like? I'm thinking:
Use Azure AD and federate with the identity providers of my enterprise customers.
Use Azure B2C for my website, and configure #1 as my identity provider with the ability to create local accounts.
Is this the correct solution?
In your case, you can use Azure AD B2C for both the enterprise and non-enterprise customers
Enterprise customers and I will want them to be able to login with
their corporate credentials
You can use Azure AD B2C policy for the enterprise customers to use their corporate credentials for sign-in and sing-up
This policy uses a multi-tenant Azure AD application and the /common Azure AD endpoint to federate Azure AD B2C with any Microsoft 365 customer in the world
Non-enterprise customers. I will want the ability for them to register
and use local credentials
The users can sign-in and sign-up with their local accounts in the Azure AD B2C
You can refer this use-case provided by Microsoft for more info:
Azure Active Directory B2C | Overview with Example
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
Can Azure AD MFA work with on-prem Active Directory? Our entire infrastructure is Microsoft on-prem solutions (AD, Exchange, SQL, SharePoint, Office, etc). We do have Microsoft 365 Basic which allows us to use the free version of Azure AD. We currently have our AD accounts synchronizing between on-prem and Azure AD. I've got MFA enabled for Azure AD, but it only works when signing into something Azure related. If I sign into an on-prem AD-joined device, it doesn't recognize I have MFA enabled in Azure AD for my user account.
we have two options available.
To trigger Azure MFA on RDP to On-premises VMs or to connect to On-premises VPN etc.The Network Policy Server (NPS) extension for Azure allows customers to safeguard Remote Authentication Dial-In User Service (RADIUS) client authentication using Azure's cloud-based Multi-Factor Authentication (MFA). this enables secure verification for users attempting to sign in to a Remote Desktop Gateway.
check This to Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD
To protect On-premises web applications, such as OWA, SharePoint etc., they need to federate the web applications to ADFS and configure ADFS to use Azure MFA for 2nd factor of authentication. If your organization is federated with Azure AD, you can use Azure Multi-Factor Authentication to secure AD FS resources, both on-premises and in the cloud. reference
According to the Azure AD B2C FAQ:
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
Azure AD Connect is not designed to work with Azure AD B2C...
Then why is it displayed here? And what can you do with Azure AD Connect and B2C then?
The displaying of that link implies there's a relationship between the two of them (to me at least).
The FAQ is correct in stating that Azure AD Connect is not supported with Azure AD B2C along with several other features of regular Azure AD.
These features show up in the Users and Groups blade because that blade was built primarily for regular Azure AD. There is work underway so that this blade understands it's running in the Azure AD B2C context and only shows applicable features.
Then why is it displayed here?
This is because that when you want to manager users and groups in Azure AD B2C, you must use Azure AD to manage it. Azure AD B2C cannot leave Azure AD. When you are using Azure AD B2C, you would have used Azure AD to authenticate Identity. As #Saca said, that blade was for Azure AD.
And what can you do with Azure ADConnect and B2C then?
That FAQ is right, but you can still use Azure Connect to sync on-premise users to Azure AD. You can also use the synced users accounts to login Azure AD B2C. But after syncing , the user name would changed to .onmicrosoft.com.
If you still want use your local account email address for the synced username, you can refer to this document and this official support article.