Currently, we are using Azure AD B2C in one of our website and we want to enable the conditional access policy for our users. I want to know whether we can able to use the conditional access policy and other AD features for Azure AD B2C users or not?
Currently, conditional access is an Azure AD Premium feature, so it isn't available for Azure AD B2C.
Related
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
We use Azure AD for our organisation's AD to manage our users. We are also setting up an Azure AD B2C environment for our external websites. As part of this we are allowing our staff to log into these sites using their windows accounts.
Is it possible to manage the staff's B2C user account from Azure AD? For example, in B2C we have setup groups. We would ideally like to be able to create new user accounts in B2C from our Azure AD, and assign users to groups. Is this possible? Or can we only manage these users from only within B2C or through using the Microsoft Graph API?
Finally, when a user is disabled in our Azure AD, would this then prevent their account being used to sign into one of our websites as that user is no longer active in the identity provider?
Is it possible if your Azure AD B2C tenant federates with the Azure AD tenant. If the user account id disabled it won't be able to sigin any application.
I am trying to use a Azure AD Graph differential query or Microsoft Graph delta query to find changes in users within an Azure AD B2C tenant.
For example:
GET https://graph.microsoft.com/v1.0/users/delta
GET https://graph.windows.net/{tenantId}/users/?api-version=1.6&deltaLink=
Both result in:
Request_UnsupportedQuery
Change enumeration is not supported for requested tenant.
What is a supported tenant?
Differential query is an enterprise feature rather than a B2C one -- which is why it isn't available in an Azure AD B2C tenant.
Alternatively, you can access the audit logs in the Azure AD B2C tenant for the CRUD operations on users, using the Azure AD Reporting API.
It seems that they are not supported in Azure AD B2C, I can reproduce your issue, if I use it with a normal Azure AD tenant, it works fine.
I am reading about the DUO two-factor authentication extension for Microsoft Azure Active Directory, and the documentation is here. However, it doesn't seem that DUO is integrable with Azure AD B2C because these instructions are specific for Azure AD (for example, under the "Create the Duo MFA Custom Control" header, step #2 says "Go to Azure Active Directory -> Conditional Access"; yet the Azure AD B2C page in the portal doesn't have a Conditional Access tab).
Therefore, my questions are:
How is DUO above different than the built-in multi-factor authentication Azure AD B2C solution?
Does DUO integrate with Azure AD B2C or not?
Duo is integrated with the conditional access feature that is available for the Azure AD "Enterprise" service.
This feature is not available for the Azure AD B2C service.
Azure AD B2C's multi-factor authentication provider is limited to the second-factor authentication of users by a phone call or a phone message.
Duo supports a phone call, a phone message, as well as a push notification to Duo's phone app.
You might be able to integrate Azure AD B2C with Duo using an Azure AD B2C custom policy and the Duo Auth API.
For an example of how Azure AD B2C can be integrated with a third-party multi-factor authentication provider, such as Authy, see the Wingtip custom policies and watch this walkthrough video.
How is DUO above different than the built-in multi-factor authentication Azure AD B2C solution?
Duo Security
Duo Security is used to provide second form-factor authentication for remote access to our corporate information. It provides cloud-based two-factor authentication. Duo’s technology can be deployed to protect users, data, and applications from breaches, credential theft, and account takeover.
Microsoft Azure Multi-Factor Authentication
Azure Multi-Factor Authentication reduces organizational risk and helps enable regulatory compliance by providing an extra level of authentication. It is being used for custom applications and as a way to help secure them.
Generally, Duo Security is more popular than Microsoft Azure Multi-Factor Authentication. Some other details, you could refer to the articles, 1 and 2.
Does DUO integrate with Azure AD B2C or not?
It seems that DUO Security does not integrate with Azure AD B2C currently, I could not find the Conditional Access in my b2c tenant and any related official documentation.
According to the Azure AD B2C FAQ:
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
Azure AD Connect is not designed to work with Azure AD B2C...
Then why is it displayed here? And what can you do with Azure AD Connect and B2C then?
The displaying of that link implies there's a relationship between the two of them (to me at least).
The FAQ is correct in stating that Azure AD Connect is not supported with Azure AD B2C along with several other features of regular Azure AD.
These features show up in the Users and Groups blade because that blade was built primarily for regular Azure AD. There is work underway so that this blade understands it's running in the Azure AD B2C context and only shows applicable features.
Then why is it displayed here?
This is because that when you want to manager users and groups in Azure AD B2C, you must use Azure AD to manage it. Azure AD B2C cannot leave Azure AD. When you are using Azure AD B2C, you would have used Azure AD to authenticate Identity. As #Saca said, that blade was for Azure AD.
And what can you do with Azure ADConnect and B2C then?
That FAQ is right, but you can still use Azure Connect to sync on-premise users to Azure AD. You can also use the synced users accounts to login Azure AD B2C. But after syncing , the user name would changed to .onmicrosoft.com.
If you still want use your local account email address for the synced username, you can refer to this document and this official support article.