I would like to ask whether it is possible to use the ROPC flow with Azure Active Directory for an account that is federated via ADFS.
We are successfully authenticating via ROPC using a cloud account, but cannot authenticate using an account via ADFS.
So, I would like to ask if this scenario supported by AAD using the ROPC flow. If yes, is there any specific configuration required on the setup (ADFS / Application) to work?
Azure AD does not support ROPC flow for federated accounts.
Related
Website webapp1.com has registered users with its own IdP implementation.
There are other websites such as webapp2.com, webapp3.com, webapp4.com (different domain).
A logged-in-user user1 of webapp1.com wants to do a SSO login to webapp2.com or webapp3.com or webapp4.com.
user1 has accounts in webapp2.com/webapp3.com/webapp4.com as well.
Is there a way to implement this using Azure AD or Azure AD B2C?
This is possible using PingIdentity.
https://www.pingidentity.com/en/resources/blog/posts/2021/sso-vs-federated-identity-management.html
Tried Azure AD and Azure AD B2C.
There is no documentation found how this could be done.
As long as the web apps connect to the same identity provider/s, the user will get SSO if they visit another app and pass through those same identity providers. With AAD this is the default and only behaviour. With AAD B2C this is the default behaviour, but can be restricted.
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
I have a client/server application where I am successfully able to create users with the Microsoft Graph API. I'm also able to authenticate and authorize these users with the 'Resource Owner Password Credentials Grant Flow' by following these docs here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc.
But I am also needing to give users the option to login with their Facebook or Google accounts, which doesn't seem to be possible while using this type of grant flow. I'm aware that identity providers can be used with Azure AD B2C, however, I need a way of doing this with my own application and not through a redirect or popup window.
Any suggestions are appreciated!
No. Resource Owner Password Credentials Grant Flow doesn't support for social identity provider.
In Azure AD, the Microsoft identity platform endpoint only supports ROPC for Azure AD tenants. ROPC is not supported in hybrid identity federation scenarios. See details here(the Important tip).
In Azure AD B2C, ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook. Please refer to ROPC flow notes.
I am reading about the DUO two-factor authentication extension for Microsoft Azure Active Directory, and the documentation is here. However, it doesn't seem that DUO is integrable with Azure AD B2C because these instructions are specific for Azure AD (for example, under the "Create the Duo MFA Custom Control" header, step #2 says "Go to Azure Active Directory -> Conditional Access"; yet the Azure AD B2C page in the portal doesn't have a Conditional Access tab).
Therefore, my questions are:
How is DUO above different than the built-in multi-factor authentication Azure AD B2C solution?
Does DUO integrate with Azure AD B2C or not?
Duo is integrated with the conditional access feature that is available for the Azure AD "Enterprise" service.
This feature is not available for the Azure AD B2C service.
Azure AD B2C's multi-factor authentication provider is limited to the second-factor authentication of users by a phone call or a phone message.
Duo supports a phone call, a phone message, as well as a push notification to Duo's phone app.
You might be able to integrate Azure AD B2C with Duo using an Azure AD B2C custom policy and the Duo Auth API.
For an example of how Azure AD B2C can be integrated with a third-party multi-factor authentication provider, such as Authy, see the Wingtip custom policies and watch this walkthrough video.
How is DUO above different than the built-in multi-factor authentication Azure AD B2C solution?
Duo Security
Duo Security is used to provide second form-factor authentication for remote access to our corporate information. It provides cloud-based two-factor authentication. Duo’s technology can be deployed to protect users, data, and applications from breaches, credential theft, and account takeover.
Microsoft Azure Multi-Factor Authentication
Azure Multi-Factor Authentication reduces organizational risk and helps enable regulatory compliance by providing an extra level of authentication. It is being used for custom applications and as a way to help secure them.
Generally, Duo Security is more popular than Microsoft Azure Multi-Factor Authentication. Some other details, you could refer to the articles, 1 and 2.
Does DUO integrate with Azure AD B2C or not?
It seems that DUO Security does not integrate with Azure AD B2C currently, I could not find the Conditional Access in my b2c tenant and any related official documentation.
Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api