This question already has an answer here:
What's the difference between Azure AD B2C tenant and normal Azure AD tenant?
(1 answer)
Closed 3 years ago.
I am currently the admin for an AAD B2C tenant (I can add B2C applications, flows/policies, etc.) but I can view only some AAD stuff. I understand that AAD B2C is a different service that is somewhat under our organization's AAD umbrella, but I don't have access to the AAD configuration.
I noticed that all the AAD B2C users are also shown as AAD users, and any new B2C app automatically appears in the App Registrations on the leftmost blade in the Azure portal.
All these make me think that AAD B2C uses AAD underneath. This is indirectly confirmed by the existence of a special application registered with the AAD (named "b2c-extensions-app. Do not modify. Used by AADB2C for storing user data."), which serves as a bridge between the two.
Does anybody know any more details about this relationship? I searched a lot but couldn't find much about it.
Azure AD B2C tenants (i.e. directories) are special-purpose Azure AD tenants with some features (and some limitations) specifically designed for B2C scenarios.
So yes, Azure AD B2C uses "regular" Azure AD for the core directory infrastructure, and adds all of the consumer-centric capabilities (sign-in/sign-up flows, Identity Experience Framework policies, full branding customization, etc.).
Related
Hello Everyone,
I have an Azure AD application with MS Graph's authorizations for get users or calendars.
And i have a B2C tenant with an application and a user flow. the B2C authentification working well in my blazor app, but my B2C Application haven't access at MS Graph's authorizations from my AD Application.
I have trying to make custom scope and declare it in my B2C app or use API connector but nothing work.
I give you screenshots of my AD application and my B2C application:
My AD Application :
API Exposed
API Authorization
If you have a solution or an idea to test...
Thank you in advance..
(Moving from Comments to Answer)
The two screenshots you provided are from AD, and AD tenants and B2C tenants are different. You cannot use applications in the b2c tenant to access resources in the AD tenant.
In addition, for Azure AD b2c applications, it cannot use MS Graph, but can only use AAD Graph, see: here and here.
I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.
I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.
The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.
I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?
Do I need to use a federation application as a middle-man such as Ping Identity?
Thanks for any help!
Using e.g. Ping as an IDP generally won't help because Azure AD is already an IDP.
Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.
And you can only sign-in with an email address because it's designed for domain-joined corporate customers.
You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.
You could then federate Azure AD and Azure AD B2C.
Your other option is to use an IDP that does allow authentication via an API e.g. Auth0.
Then you could have a custom login page that authenticates as appropriate.
Using Ping ID and other similar products is the fastest way to utilize SSO.
Is there any Azure B2C end-user queryable endpoint that will allow that owner to identify which tenants they have authenticated to?
A dashboard for B2C users that is an aggregate of all tenants they have federated with? Is there some extension of the /common endpoint I could make an OAuth query to? (ideally including AAD B2B guest accounts)
https://account.live.com/Activity
https://account.activedirectory.windowsazure.com/r#/applications
myapps.microsoft.com
4/24/20 Edit:
I found this in the portal that implies a portal is available.
I'm looking for the API in which to programmatically add applications to it before a migration.
I need to have the applications already 'signed in' or linked to applications I own in the B2C directory (OIDC/SAML2 apps)
Your question is the equivalent of asking, "Can i find out if i registered at StackOverflow and Facebook with this/my email?". You cannot do this, AAD B2C is isolated tenancies representing a single organisations' identities. There is no equivalent of /common endpoint for AAD B2C. In AAD and AAD B2B accounts, there is a mapping created from the original account to identify which tenants they are in. This is to maintain a single identity across the Microsoft ecosystem.
In AAD B2C, this doesn't exist, goes back to my first sentence for 'why', they are separate applications, and inherently have no relationship, nor do the identities.
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
Using AAD B2C, I'd like to enable end-users to login using their Microsoft-Live or Google identity providers (delegate the authentication). However, I have a set of custom claims in AAD B2C for my users (some roles, for example). So, once the user authenticates into google, I need to add or "map, merge" the claim set with this user's custom claims in AAD B2C and return the consolidated claim-set to my application.
My question: where can I add or map these claims in the claimset returned by AAD B2C? In some Identity Providers this is possible using filters. Not yet finding the feature in AAD B2C, pointers?
EDIT: found this:
- https://aadguide.azurewebsites.net/claims/#claim-augmentation-/-enrichment