Clone a AAD to another tenant with B2C feature on, those b2c AAD store our information with to sign in with Dynamics CRM portal.
there is no easy clone button to do this in terms of creating another azure ad tenant and copying all the objects over. you will have to re-create all your user objects and objects/permissions in the new tenant, with powershell scripts or some other means. of course you can't move over app registrations and such. those will all need to be recreated as well.
This may help a bit with the B2C User portion: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-migration you need to export basically a userlist and import it into your new B2C Tenant.
Related
I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!
The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.
Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.
My current directory doesn't have a B2C Tenant, so following this MS Doc to create one for my existing SPA app to fully utilize AZ AD B2C, such as allowing Apple, Google and Twitter authentication.
Registered AzureActiveDirectory in current (Default directory)
Upon creating a new AZ AD B2C tenant, entering my current domain name resulting "Already in use by another directory", I'm forced to create it in a new directory.
Would Suggest you to try with another uqniue or weird name, Might be the custome domain you are trying to to use its already been using by another Azure AD tenants.
Getting the same error like you while creating the Azure AD b2c tenants.
If I have given some unique name like this able to validate successfully.
Note : If you are trying to create a B2C directory rather,you need to have a subscription associated with the account.
You can refer also refer this Microsoft Q&A Discussion where someone already encoutred the same issue.
You can also refer how to create a Azure AD b2c Tenant in default Azure Active Directory Tenant.
It seems a bit weird but it actually worked for me and I could make another tenant with the same name
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
I was able to register an app created by another tenant as an enterprise app of my own tenant.
I signed in to the app as a user, but I got the following error.
AADSTS50020: User account 'test001#testdomain001.onmicrosoft.com' from identity provider 'https://sts.windows.net/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/' does not exist in tenant 'testdomain002' and cannot access the application '55555555-6666-7777-8888-999999999999'(OneDriveAPIBrowser_test001) in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
How can a user of another tenant use it without the application creator tenant performing any processing?
If the Azure AD app is registered in Tenant A and you have add it as an enterprise app into Tenant B, you should use a user from Tenant B to sign in.
In your case, if the registered app is in testdomain001 and added into testdomain002, you need to use a user from testdomain002. User "test001#testdomain001.onmicrosoft.com" is not allowed to sign in to the app in testdomain002 unless it is a guest user of testdomain002.
I tried the steps below and it worked for me.
Go to azure.microsoft.com
Select Free Account.
Sign in with your email.
It will detect that you already have a subscription and give you the option to use it.
Is there any Azure B2C end-user queryable endpoint that will allow that owner to identify which tenants they have authenticated to?
A dashboard for B2C users that is an aggregate of all tenants they have federated with? Is there some extension of the /common endpoint I could make an OAuth query to? (ideally including AAD B2B guest accounts)
https://account.live.com/Activity
https://account.activedirectory.windowsazure.com/r#/applications
myapps.microsoft.com
4/24/20 Edit:
I found this in the portal that implies a portal is available.
I'm looking for the API in which to programmatically add applications to it before a migration.
I need to have the applications already 'signed in' or linked to applications I own in the B2C directory (OIDC/SAML2 apps)
Your question is the equivalent of asking, "Can i find out if i registered at StackOverflow and Facebook with this/my email?". You cannot do this, AAD B2C is isolated tenancies representing a single organisations' identities. There is no equivalent of /common endpoint for AAD B2C. In AAD and AAD B2B accounts, there is a mapping created from the original account to identify which tenants they are in. This is to maintain a single identity across the Microsoft ecosystem.
In AAD B2C, this doesn't exist, goes back to my first sentence for 'why', they are separate applications, and inherently have no relationship, nor do the identities.
I am doing login from Azure AD.Client is SPA(angular using MSAL). If user is not Authenticated, it redirect to Microsoft Login Screen (using MSAL). On successful login, it return an access token.
My roles will be stored in a database. I need to add the roles of that user as part of claim in access token. I am not finding the way to do it.
I do not want to make another call from SPA to API to get the DB roles.
Please suggest some good approach.
Any links explaining the approach will also be very helpful.
I am still in design phase but not able to find the best approach.
In one microsoft site, i found that we can fetch the roles from DB but details were not there.
most of the places, it is written that we need to provide roles in Azure AD users menifest file.
In regular Azure AD, the "roles" claim is exclusively sourced from app role assignments for the signed-in user (or groups the user is a member of), to the app roles for the app the user is signing in to.
There's no feature currently in Azure AD which will connect to an arbitrary database, make a database query in the appropriate form, and include the results in the roles claim in the resulting ID Token.
I can think of three options to achieve your scenario:
After sign-in, call an API to retrieve the roles. Though you mention this is not desirable, it's probably the simplest approach, so it's worth listing. As a result of the user's sign-to you app, you app will usually obtain an access token to an API. If you set up your API to be secured with Azure AD (directly, or through Azure API Management), your SPA could simply get the necessary access token as part of sign-in, and at that point it's trivial to make a REST call to retrieve the role details for the user (and possibly other information useful to rendering your app).
Synchronize (or copy) your role information from your database to Azure AD. For each role, create an app role in the Azure AD app registration. For each user-role association, either create an app role assignment to directly assign the user (user -> app role), or assign a group to the app role and add the user to the group (user -> group -> app role. Keeping this in sync is probably not trivial, so if your scenario allow to move the role information to Azure AD app role assignment, you can forget the database entirely (making Azure AD the authoritative location). Of course, this might not work for your specific case.
Use Azure AD B2C and a custom sign-in policy. You could create an Azure AD B2C tenant, set up a custom sign-in policy to use your (regular) Azure AD tenant as the identity provider, and configure the policy to enhance the claims by calling a REST API to retrieve your roles. In this approach, you still need to have a REST API which can provide the role information, so rather than doing the setup and migrating your app, you may prefer simply calling the API from your SPA (option 1, in this list).