Just wondering whether you can help with my question below? O
Does Microsoft Azure AD B2C support multi tenant application? For example,
I created an Azure B2C service call Tenant A, link the service to my subscription account. Then I create the user TenantAAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.
I created another Azure B2C service call Tenant B, link the service to my subscription account. Then I create the user TenantBAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.
I had an service API e.g. monitor patient health services , this service API will be used for all tenants. How can I register this web API so that users in Tenant A and users in Tenant B are able to access and use the service?
Regards
Tom
You can use Custom policy implementation in Azure AD B2C to achieve multi tenant system for authentication.
Here is a very nice article covering all the scenario for configuring multi tenant system:
https://blogs.msdn.microsoft.com/mrochon/2017/07/27/developing-an-azure-ad-b2c-multi-tenant-application/
Also you can check our below QnA for reference
Multi-tenant Azure AD in Azure AD B2C
and
Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies
Hope it helps.
As far as I know, we can use custom policies to enable sign-in for users using the multi-tenant endpoint for Azure Active Directory (Azure AD) in Azure AD B2C. For more details, please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom.
Related
This MS Tutorial Registering SPA missing this piece. What's the difference
• The documentation you are referring to is regarding the registration of a ‘Single Page Application (SPA)’ in Azure AD B2C. Thus, it directly refers to registering the application in an Azure AD B2C tenant/directory. The documentation doesn’t state where to register the application in Azure AD B2C because it considers that the sign into the Azure AD B2C tenant is through a local Azure AD B2C account or a work/school account and not through a social account or a private/personal account.
• You are getting that option because maybe you are registering your first application in that Azure AD B2C tenant/directory. As when you create a new Azure AD B2C tenant with a free tier Azure AD subscription and register your first application, you get that prompt to confirm where to associate your application with.
• Also, it might be because you are signed into the Azure AD B2C tenant with a user account who was invited to sign up into Azure AD B2C or the user has been created using his personal/public email ID in the tenant and the user signed up with his personal/social email ID account. Due to which, he has been granted privileges to register an application in that Azure AD B2C tenant and when you (that user) tried to register an application, you are getting that prompt asking whether to register that application in Azure AD B2C directory or associate it with that account with which you have logged in to the Azure AD B2C directory. Thus, this pop up in your case. For more information, you can refer to the link below which describes the account types in Azure AD B2C: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/technical-overview#accounts-in-azure-ad-b2c
Website webapp1.com has registered users with its own IdP implementation.
There are other websites such as webapp2.com, webapp3.com, webapp4.com (different domain).
A logged-in-user user1 of webapp1.com wants to do a SSO login to webapp2.com or webapp3.com or webapp4.com.
user1 has accounts in webapp2.com/webapp3.com/webapp4.com as well.
Is there a way to implement this using Azure AD or Azure AD B2C?
This is possible using PingIdentity.
https://www.pingidentity.com/en/resources/blog/posts/2021/sso-vs-federated-identity-management.html
Tried Azure AD and Azure AD B2C.
There is no documentation found how this could be done.
As long as the web apps connect to the same identity provider/s, the user will get SSO if they visit another app and pass through those same identity providers. With AAD this is the default and only behaviour. With AAD B2C this is the default behaviour, but can be restricted.
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
We use Azure AD for our organisation's AD to manage our users. We are also setting up an Azure AD B2C environment for our external websites. As part of this we are allowing our staff to log into these sites using their windows accounts.
Is it possible to manage the staff's B2C user account from Azure AD? For example, in B2C we have setup groups. We would ideally like to be able to create new user accounts in B2C from our Azure AD, and assign users to groups. Is this possible? Or can we only manage these users from only within B2C or through using the Microsoft Graph API?
Finally, when a user is disabled in our Azure AD, would this then prevent their account being used to sign into one of our websites as that user is no longer active in the identity provider?
Is it possible if your Azure AD B2C tenant federates with the Azure AD tenant. If the user account id disabled it won't be able to sigin any application.
We are looking at Azure AD B2C and wish to use the Azure AD Graph API to create users using the User Admin Role. For security reasons wish want to assign this permission for the Azure AD B2C Tenant only and not the Azure AD Tenant. I have not found an example of this so wish to confirm is it possible?
Cheers,
Lastbuilders
There is no separate Azure AD tenant and Azure AD B2C tenant.
It is all the B2C tenant.
So an application having access via Graph API means access to everything in the tenant.