how to connect Azure AD B2C to Azure AD - azure-active-directory

As I am working on SSO, I have my on-premised application on aadb2c and my cloud application is registered on AAD, is there any way to migrate consumer identities by using custom identity provider or any other way

You can use ADFS to consume on prem AD identities. You can add ADFS as identity provider in B2C. You can also sync on-prem identities to AAD and add your AAD directory as identity provider.

Related

Is Federated Identity Management possible using Azure AD or Azure B2C?

Website webapp1.com has registered users with its own IdP implementation.
There are other websites such as webapp2.com, webapp3.com, webapp4.com (different domain).
A logged-in-user user1 of webapp1.com wants to do a SSO login to webapp2.com or webapp3.com or webapp4.com.
user1 has accounts in webapp2.com/webapp3.com/webapp4.com as well.
Is there a way to implement this using Azure AD or Azure AD B2C?
This is possible using PingIdentity.
https://www.pingidentity.com/en/resources/blog/posts/2021/sso-vs-federated-identity-management.html
Tried Azure AD and Azure AD B2C.
There is no documentation found how this could be done.
As long as the web apps connect to the same identity provider/s, the user will get SSO if they visit another app and pass through those same identity providers. With AAD this is the default and only behaviour. With AAD B2C this is the default behaviour, but can be restricted.

Can we use OneLogin with Azure AD B2C

We are using azure ad b2c for identity management and SSO for all our applications, So all our products/apps are registered on azure ad b2c directory. Users are also created on azure AD through MS Graph API. So all these users can avail the SSO facility. Now along with azure ad b2c we also want to use OneLogin. Is it possible with the existing azure ad b2c setup? I tried to google it but did not find any concrete answer. Can we add OneLogin as a identity provider like google, facebook in azure ad b2c?
Yes.
As per the docs, you can add any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, or SAML protocols.

Azure ad b2c multi tenant

Just wondering whether you can help with my question below? O
Does Microsoft Azure AD B2C support multi tenant application? For example,
I created an Azure B2C service call Tenant A, link the service to my subscription account. Then I create the user TenantAAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.
I created another Azure B2C service call Tenant B, link the service to my subscription account. Then I create the user TenantBAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.
I had an service API e.g. monitor patient health services , this service API will be used for all tenants. How can I register this web API so that users in Tenant A and users in Tenant B are able to access and use the service?
Regards
Tom
You can use Custom policy implementation in Azure AD B2C to achieve multi tenant system for authentication.
Here is a very nice article covering all the scenario for configuring multi tenant system:
https://blogs.msdn.microsoft.com/mrochon/2017/07/27/developing-an-azure-ad-b2c-multi-tenant-application/
Also you can check our below QnA for reference
Multi-tenant Azure AD in Azure AD B2C
and
Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies
Hope it helps.
As far as I know, we can use custom policies to enable sign-in for users using the multi-tenant endpoint for Azure Active Directory (Azure AD) in Azure AD B2C. For more details, please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom.

Azure AD B2C - Client Credential flow not supported . Workarounds Available?

Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api

Azure AD B2C and Azure AD Connect

According to the Azure AD B2C FAQ:
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
Azure AD Connect is not designed to work with Azure AD B2C...
Then why is it displayed here? And what can you do with Azure AD Connect and B2C then?
The displaying of that link implies there's a relationship between the two of them (to me at least).
The FAQ is correct in stating that Azure AD Connect is not supported with Azure AD B2C along with several other features of regular Azure AD.
These features show up in the Users and Groups blade because that blade was built primarily for regular Azure AD. There is work underway so that this blade understands it's running in the Azure AD B2C context and only shows applicable features.
Then why is it displayed here?
This is because that when you want to manager users and groups in Azure AD B2C, you must use Azure AD to manage it. Azure AD B2C cannot leave Azure AD. When you are using Azure AD B2C, you would have used Azure AD to authenticate Identity. As #Saca said, that blade was for Azure AD.
And what can you do with Azure ADConnect and B2C then?
That FAQ is right, but you can still use Azure Connect to sync on-premise users to Azure AD. You can also use the synced users accounts to login Azure AD B2C. But after syncing , the user name would changed to .onmicrosoft.com.
If you still want use your local account email address for the synced username, you can refer to this document and this official support article.

Resources