Hello Everyone,
I have an Azure AD application with MS Graph's authorizations for get users or calendars.
And i have a B2C tenant with an application and a user flow. the B2C authentification working well in my blazor app, but my B2C Application haven't access at MS Graph's authorizations from my AD Application.
I have trying to make custom scope and declare it in my B2C app or use API connector but nothing work.
I give you screenshots of my AD application and my B2C application:
My AD Application :
API Exposed
API Authorization
If you have a solution or an idea to test...
Thank you in advance..
(Moving from Comments to Answer)
The two screenshots you provided are from AD, and AD tenants and B2C tenants are different. You cannot use applications in the b2c tenant to access resources in the AD tenant.
In addition, for Azure AD b2c applications, it cannot use MS Graph, but can only use AAD Graph, see: here and here.
Related
I am trying to test multi tenant Azure authentication to an application, which only works with Azure Work accounts (B2B users cannot sign in to Tenant using v2.0 endpoint & MSAL Auth flow).
Without asking our Azure AD admin to consent my testing application, what other options I have to use Work accounts ?
How hard is to create custom organization where I could test it ?
thank you
Only when the tenant administrator agrees to your multi-tenant application to access its tenant, you can use that tenant's users to test your application.
This is how multi-tenant applications work and this is the process that meets security.
You can create an Azure free account for testing purpose.
I am trying to use Azure AD B2B for authorization code with PKCE flow in my ReactJS app. I have searched in google all examples are with angular and with azure b2c. Couldn't find a working sample with ReactJS with azure b2b. Can anyone guide me how to use PKCE flow with Azure B2B and ReactJS app.
Thanks
Look at samples using MSAL for React.js, e.g. this one. The only special wrt to allowing B2B users is to make sure you do not use the /common endpoint when redirecting to AAD but. identify the specific tenant you want to use, e.g. login.microsoftonline.com/contoso.com. Other than that AAD does not care whether you are authenticating a local or B2B user.
This question already has an answer here:
What's the difference between Azure AD B2C tenant and normal Azure AD tenant?
(1 answer)
Closed 3 years ago.
I am currently the admin for an AAD B2C tenant (I can add B2C applications, flows/policies, etc.) but I can view only some AAD stuff. I understand that AAD B2C is a different service that is somewhat under our organization's AAD umbrella, but I don't have access to the AAD configuration.
I noticed that all the AAD B2C users are also shown as AAD users, and any new B2C app automatically appears in the App Registrations on the leftmost blade in the Azure portal.
All these make me think that AAD B2C uses AAD underneath. This is indirectly confirmed by the existence of a special application registered with the AAD (named "b2c-extensions-app. Do not modify. Used by AADB2C for storing user data."), which serves as a bridge between the two.
Does anybody know any more details about this relationship? I searched a lot but couldn't find much about it.
Azure AD B2C tenants (i.e. directories) are special-purpose Azure AD tenants with some features (and some limitations) specifically designed for B2C scenarios.
So yes, Azure AD B2C uses "regular" Azure AD for the core directory infrastructure, and adds all of the consumer-centric capabilities (sign-in/sign-up flows, Identity Experience Framework policies, full branding customization, etc.).
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
Attempting to use the following Microsoft Graph API call:
https://graph.microsoft.com/beta/applications/
To create a new Azure AD B2C Application. Is this supported?
Apps created using https://graph.microsoft.com/beta/applications/ endpoint are listed on Azure Portal -> Azure AD B2C -> Applications but portal is not able to load B2C app details when we click on the app. There appears to be some difference between how app is created from Azure Portal UI and Graph API.
Calling that endpoint will not work. The applications created within the B2C blade are different to the ones created within the AD Blade (Which is what that beta endpoint uses).
From my understanding, Applications created within the B2C Blade are created as part of the trust framework not part of your AD Tenant.