Is there any way to use Azure AD B2B in Azure Government?
Previously, when I clicked on "New user" and typed in a user from a different tenant (e.g. someguest#someothercompany.com) and it would tell me the users would be added as a guest but unlike Azure AD B2B in Azure commercial, it wouldn't send an email notification.
Now there's a separate "New guest user" button that's grayed out in Azure Government. Are there any conditions under which this button would show enabled? Or is there any other way to add a user from a different Azure AD tenant to my Azure AD Gov tenant?
Azure AD B2B is not yet supported in Azure Government. Support this ask by voting for it in the Azure Government feedback forum: Azure AD B2B in Azure Government
Each Azure Gov tenant cannot communicate with each other. You cannot even switch CSPs for your GOV Tenant.
There is kind of a hack for getting this to work.
Create two different AD servers in Azure, then use AD Synce/ Dir Sync with those two different ADs. Then have a site to site VPN to those different Azure ADs.
Related
I want to build a public facing SaaS website. My users will either be:
enterprise customers and I will want them to be able to login with their corporate credentials.
non-enterprise customers. I will want the ability for them to register and use local credentials.
What would the solution look like? I'm thinking:
Use Azure AD and federate with the identity providers of my enterprise customers.
Use Azure B2C for my website, and configure #1 as my identity provider with the ability to create local accounts.
Is this the correct solution?
In your case, you can use Azure AD B2C for both the enterprise and non-enterprise customers
Enterprise customers and I will want them to be able to login with
their corporate credentials
You can use Azure AD B2C policy for the enterprise customers to use their corporate credentials for sign-in and sing-up
This policy uses a multi-tenant Azure AD application and the /common Azure AD endpoint to federate Azure AD B2C with any Microsoft 365 customer in the world
Non-enterprise customers. I will want the ability for them to register
and use local credentials
The users can sign-in and sign-up with their local accounts in the Azure AD B2C
You can refer this use-case provided by Microsoft for more info:
Azure Active Directory B2C | Overview with Example
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.
We use Azure AD for our organisation's AD to manage our users. We are also setting up an Azure AD B2C environment for our external websites. As part of this we are allowing our staff to log into these sites using their windows accounts.
Is it possible to manage the staff's B2C user account from Azure AD? For example, in B2C we have setup groups. We would ideally like to be able to create new user accounts in B2C from our Azure AD, and assign users to groups. Is this possible? Or can we only manage these users from only within B2C or through using the Microsoft Graph API?
Finally, when a user is disabled in our Azure AD, would this then prevent their account being used to sign into one of our websites as that user is no longer active in the identity provider?
Is it possible if your Azure AD B2C tenant federates with the Azure AD tenant. If the user account id disabled it won't be able to sigin any application.
I added to my Azure AD B2C option to log in by an external provider - Azure AD. Later on, I added my account from that tenant to Azure AD B2C as external users.
Unfortunately, when I log in, I get "User does not exist. Please sign up before you can sign in.".
When I use a different policy that allows me to sign in, my account is duplicated as Federated Azure Active Directory.
How we can prepopulate Azure AD B2C with external users to avoid signing in new accounts? I would like to move existing data from the tenant and avoid filling in unnecessary data. Moreover, I would like to allow particular users only to be able to log in to our application.
The problem here is that users added via the portal are essentially B2B or portal admin users.
These are not local accounts and hence cannot login to B2C.
If you have users in another AAD tenant that is federated with B2C, you do not have to manually add these users to B2C. A "linked account" (using the #EXT# format) is created when those users authenticate via their Azure AD.
I guess what you are saying is "avoid registering new users."
Azure B2C is for Consumer, not for Azure AD tenant. You should use Azure B2B feature to add guest user to your Azure AD B2C tenant and assign the necessary role/permissions to the guest user.
You could simply choose to use the + New guest user on Azure portal or Microsoft Graph API to add external users.
According to the Azure AD B2C FAQ:
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
Azure AD Connect is not designed to work with Azure AD B2C...
Then why is it displayed here? And what can you do with Azure AD Connect and B2C then?
The displaying of that link implies there's a relationship between the two of them (to me at least).
The FAQ is correct in stating that Azure AD Connect is not supported with Azure AD B2C along with several other features of regular Azure AD.
These features show up in the Users and Groups blade because that blade was built primarily for regular Azure AD. There is work underway so that this blade understands it's running in the Azure AD B2C context and only shows applicable features.
Then why is it displayed here?
This is because that when you want to manager users and groups in Azure AD B2C, you must use Azure AD to manage it. Azure AD B2C cannot leave Azure AD. When you are using Azure AD B2C, you would have used Azure AD to authenticate Identity. As #Saca said, that blade was for Azure AD.
And what can you do with Azure ADConnect and B2C then?
That FAQ is right, but you can still use Azure Connect to sync on-premise users to Azure AD. You can also use the synced users accounts to login Azure AD B2C. But after syncing , the user name would changed to .onmicrosoft.com.
If you still want use your local account email address for the synced username, you can refer to this document and this official support article.