Have couple of questions with respect to how Azure AD session works
If have couple of web applications registered in my AAD tenant. The users of these application can be MSA, organization account with AAD or Federation account. All these accounts will be Guested in the AAD tenant where the applications are registered
if i logout from Azure Portal, can i prevent logout from my Application? Assume that the account is same for Azure Portal and AAD application
If i logout from my application 1, can i prevent logout from Azure Portal asking for password from application 1 if i try to access it again?
I read that application and Azure AD cookies are stored in browser. Can i see them? What are the name of these?
Is it possible to force the user to enter the password for particular application, if the user is inactive in that application
Related
We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.
Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.
What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?
Thanks for posting your query. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).
For Microsoft Social accounts Azure B2C would suit your requirement.
On Auth0 Admin Console:
Create a web application in Auth0
Copy the client ID and secret
Add a callback URL from your B2C tenant in given format: https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp
Copy the “OpenID Configuration” URI from advance setting.
On Azure B2C tenant:
Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
Input “OpenID Configuration” URI you copied in above step to Metadata URL.
Similarly add client ID and Client secret you copied from Auth0.
Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.
Thanks
I've gathered the following insights since posting my question
Summary
Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts"
See guide of different app types here
Details
Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from Mavric20
We use Azure AD for our organisation's AD to manage our users. We are also setting up an Azure AD B2C environment for our external websites. As part of this we are allowing our staff to log into these sites using their windows accounts.
Is it possible to manage the staff's B2C user account from Azure AD? For example, in B2C we have setup groups. We would ideally like to be able to create new user accounts in B2C from our Azure AD, and assign users to groups. Is this possible? Or can we only manage these users from only within B2C or through using the Microsoft Graph API?
Finally, when a user is disabled in our Azure AD, would this then prevent their account being used to sign into one of our websites as that user is no longer active in the identity provider?
Is it possible if your Azure AD B2C tenant federates with the Azure AD tenant. If the user account id disabled it won't be able to sigin any application.
I added to my Azure AD B2C option to log in by an external provider - Azure AD. Later on, I added my account from that tenant to Azure AD B2C as external users.
Unfortunately, when I log in, I get "User does not exist. Please sign up before you can sign in.".
When I use a different policy that allows me to sign in, my account is duplicated as Federated Azure Active Directory.
How we can prepopulate Azure AD B2C with external users to avoid signing in new accounts? I would like to move existing data from the tenant and avoid filling in unnecessary data. Moreover, I would like to allow particular users only to be able to log in to our application.
The problem here is that users added via the portal are essentially B2B or portal admin users.
These are not local accounts and hence cannot login to B2C.
If you have users in another AAD tenant that is federated with B2C, you do not have to manually add these users to B2C. A "linked account" (using the #EXT# format) is created when those users authenticate via their Azure AD.
I guess what you are saying is "avoid registering new users."
Azure B2C is for Consumer, not for Azure AD tenant. You should use Azure B2B feature to add guest user to your Azure AD B2C tenant and assign the necessary role/permissions to the guest user.
You could simply choose to use the + New guest user on Azure portal or Microsoft Graph API to add external users.
I have a requirement to integrate multiple external azure active directories into my application(multitenant). Currently I'm using AD B2C. In brief any client purchases my product, should be able to integrate their organization azure active directory with my application and those AD users should be able to login to application without signing up.
One of the approaches i was trying was to validate external azure active directory users by asking client to create applications in their AD for authentication and authorization. But it seems to be a bit tricky since we already have applications created inside B2C tenant we use and securing API with application in B2C Tenant. With having multiple AD s api will need to be secured with multiple ids.How to do this?
second approach was to read the external azure active directory users using graph api and invite them as guest users. But here any of the guest users created couldn't sign into the application even after changing "guest" to "member" User type. Any idea in implementing this?
UPDATE
I did all the steps as in https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom but when i try to login using one of my Azure AD Account after entering the credentials it navigates me to a B2C signup page.That is because i don't have that AD account in my B2C tenant. After doing the signup only i will be able to login to the application and get the token. And the AD user is created in our B2C Tenant with the source
Federated Azure Active Directory
Is there anyway to get rid of navigating to signup page after entering credentials and instead login to the application with the tokens at once so that the user will not be created in our B2C Tenant and validate user from client's Azure AD
You are better off federating AAD B2C with the Azure AD Common endpoint. This allows a single option for any user with an O365 account to login to your service from any Azure AD Tenant.
You can then whitelist tenants such that only your clients' Azure AD accounts are able to login via this single option. Clients only need to provide their TenantId to you.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom
<!-- The key below allows you to specify each of the Azure AD tenants
that can be used to sign in. Update the GUIDs below for each tenant. -->
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/00000000-0000-0000-0000-000000000000,https://sts.windows.net/11111111-1111-1111-1111-111111111111</Item>
Creating separate B2C tenants for individual organizations could be a solution.
You will integrate each Azure AD tenant with the on-premises AD of the organization.
In order to sync both ADs you will need to use Azure AD Connect
(more information here on MSDN: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad#azure-ad-connect-sync-service)
Once ADs are synced your web app will request access and id tokens for individual B2C tenant.
For more information on how to run various user journeys using OIDC read here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc
We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.