I have an application where currently all the users are in azure AD tenant of our subscription. So in application to change their password we are dealing with graph api. Now have to change this so that the uses will not be maintain in our tenant but we will be adding federation for google and facebook external identity so that users will be using ther respective account credentials.I know we cant control this from the app.Now my question is how to manage this password change/reset in our app? how to design this?
Thanks,
mbr
Just like #juunas said, you need to redirect them to their login providers' reset page. For example, if the user who is using facebook account clicks 'Forgot Password' button, just redirect the user to https://www.facebook.com/login/identify/?ctx=recover&ars=royal_blue_bar
Related
I have a sample React SPA hosted on Azure that is using MSAL authentication. There would be different user permissions based on user role. Is there a way to change user roles (i.e. add or exclude user from AD group) using UI in my app. Is it done by calling graph API somehow? Maybe some example code you could show me?
The goal is to demo different app functionality for different user roles but dynamically change those roles in the app without going to Azure AD and manually assign roles to the user who is testing this app.
I need to be able to add logged in user into one of the groups on App registration from inside my react app and update interface when user role changes
There are 2 problems you may run into with this approach.
How does your app read the users roles. If it caches the user roles on login, then you need to logout and login again for the changes to take effect.
If the user is allowed to change their group membership in AD, then this opens a security issue.
For the purpose of your demo I would:
Have 2 browsers open. One with the user and one with Azure AD admin.
Show what the user can do
User log out
Change roles in AD
User log in
Show what the user can do with the new role
I have a consumer facing application (call it consumer.com) whose user identities is managed via. Azure AD B2C. This consumer.com app has admin screens which is accessed by the internal staff whose identity is managed by Azure AD. To enable SSO experience for the internal staff the organizations Azure AD is registered as Custom Identity provider in B2C tenant. This allows the internal staff to use the corporate Azure AD credentials to login to the consumer.com application by clicking on the appropriate 'External identities' button. In this flow if the internal user has already authenticated to Office365 then clicking on the 'External identities' button will automatically authenticate user. I was wondering if the experience can be improved by cutting short the need for internal user to click on the button, perhaps the user session that exist in the browser can be used to bring in this experience. How to achieve this?
I am also looking for a solution where user will click on a link (Consumer app button) within one of Office365 apps which would then redirect to consumer.com application, of course the expectation here is to directly authenticate without needing to go through B2c login page. If this can be achieved, what information should the url link contain?
Use the domain hint parameter:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/direct-signin#redirect-sign-in-to-a-social-provider
I'm trying to migrate user accounts from our database to Azure AD B2C following an article and simple app that's coupled with the article -- see below.
All user accounts we have in our database used social login e.g. Google, LinkedIn and Facebook. I'm looking at the code in the migration app and I don't see any reference to user's social login. I don't see any properties for login type or anything like that.
How will I specify how the user registered in our system and has been using his/her social account to log into our app? The migration structure seems very simple i.e. just name, last name, email, etc.
I do NOT have to use this app but not sure if there's a simpler way to handle this.
The article I'm following is: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-user-migration
And here's a link to the simple migration app: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/aadb2c-user-migration
For a social account, Azure AD B2C finds the user object using a composite key that includes the social user identifier (e.g. the "id" claim that is issued by the social identity provider) and the social identity provider name (e.g. "facebook.com").
This composite key is stored in the "alternativeSecurityId" attribute of the user object.
Currently, you can't read or write this "alternativeSecurityId" attribute of the user object using the Azure AD Graph API, which means you can't migrate the social accounts from your existing identity store using a similar method to that described in the user migration guide.
I don't see any reference to user's social login. I don't see any
properties for login type or anything like that.
About migration: Azure AD B2C can let social accounts to sign up and sign in . For your scenario, after migrating users to Azure AD B2C, the users from any social identities can sign in the Application in your Azure AD B2C. (You can also change your policy to check and set the user migration status.)
About where users information are stored: After migrating, all the users can be seen in the Users and Groups of Azure AD B2C. Additional,There is an App called b2c-extensions-app, is visible in App registrations. It is used by the Azure AD B2C service to store information about users and custom attributes.
About Login type: Also, you may want to know which properties for login type you can choose, Email address or Username. This configuration can be done in Azure Portal.
Go to Azure Portal > You B2C tenant > Identity providers > local accounts > Choose Email or User name for sign-up and sign-in.
How will I specify how the user registered in our system and has been
using his/her social account to log into our app? The migration
structure seems very simple i.e. just name, last name, email, etc.
Yes, the migration is very simple. If you want to specify how the users to sign-up and sign-in , you need to built-in Sign-up or Sign-in policies for those users. Also, you can use Custom policies.
I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.
I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Can you create users from an iOS app?
Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.
However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.
However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.
Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No
Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.
I have a Java application, and GAE application. Here is what I want to do:
I want GAE account users to authorize in my Java application, and I don't want to use "Sign In with..." solution. Instead I want the users to login from my Java application login page ( e.g providing username and password) and forward this login information to Google Servers.
In other words I want exactly this thing in this page. This webpage uses Google Accounts Service, but the login form, is a custom form that then (I imagine) forwards the data to Google Servers and then logs the user in.
How can I achieve that? What protocols should I use( OAuth, OpenID, GAE services... )?
You can't create a custom login page to Google Accounts. The whole purpose of Google-provided login page is that users trust the page when entering their password. Otherwise anybody could create a login page and start collecting users passwords.
If you need a managed/limited access to users account (with their consent), you should look into OAuth. But in any case this will not give you an option of making a custom login page.