Using the new Azure AD B2C service in preview, I am looking to be able to send a user an invitation email to complete sign-up for our SaaS application. Each of our customers will manage their own users and I want them to be able generate an invitation email to their new users for access to our SaaS application. That user would then finish the sign-up process.
Part of this process will also to be able to include what "customer" this user is assigned to. Part of the invitation process I would like to be able to identify that this customer should be a part of this customer's database in our SaaS application.
This is not a supported feature. I recommend that you use our User Voice forum to make feature requests; we are tracking those.
There is an existing feature request for this: AADB2C: Send email invitation for new user to sign up
You can use custom policies to achieve this. You can send a JWT to B2C that includes the 'customer' the user is assigned to.
There is sample code here that sends the JWT to B2C.
The leaf policy that receives the JWT is here.
The sample app is here.
Related
Is there a way to prevent users from logging into their own AAD tenants? For example, allow login to contoso.onmicrosoft.com but not fabrikam.onmicrosoft.com.
My customer has a highly-controlled Azure environment where they are running some servers and PaaS/SaaS applications. Users connect to those servers are use a variety of Azure services and some SaaS (primary concern is PowerBI). They’re concerned that a user could login with a non-company account (wahid#hotmail.com) and then upload sensitive data their own PowerBI workspace.
You cannot prevent a user who has already been in the tenant to login to that AAD tenant, except deleting the user from that tenant.
If one account was created/invited to one tenant, the user just can login to that tenant.
For the scenario you described, I suggest you could revoke the Product license for those users. If you don't assign product license to the user, the user cannot use that App or cannot see that app in My Apps panel. For other SaaS/PaaS app(Web App), you may use user assignment to allow specific users to access the App.
For others: Daniel answered this for me. Short answer, this isn't easy, you would need to inspect the response body for the tenant ID (or name) and then block it. This would also lead to a poor user experience but that's all we can do today.
Yes, you have a few options.
Option 1: Single tenant apps
If you have the ability to create apps in the tenant you want to accept users from, you can mark your app as available to only this tenant (the field is called availableToOtherTenants). This will notify the token service to only authorize access from users in the tenant the app was created in.
Option 2: Multi-tenant app w/ token validation
The other option is to mark your app as multi-tenant (same field as above, just set to true) and implement logic in your app to validate the user's tenant from which the token was issued.
In this scenario, you will need to have some kind of web service that can safely validate access tokens (.NET code sample on this). To check the tenant the user's account belongs to, you'll need to validate the iss field. It'll look something like this,
"iss": "https://sts.windows.net/7fe81447-da57-4385-becb-6de57f21477e/"
in which the GUID represents the tenant ID. This allows your web API to have an allow or deny list based off tenant IDs.
More help
Here's an excellent blog post on token validation.
Azure AD Developer Docs
.NET Web API Code Sample
Our application is mainly used by internal users, who authenticate through AAD. Some pages need to be accessible to third-parties. Right now we are using custom tokens, but would like to switch to Azure AD B2B Invite API.
We just did some manual test runs and it seems to work exactly as expected, except for one thing: when inviting my standalone email address, I was asked to create a Microsoft account, which is fine. However, to do so, I had to first verify my email address (code sent to email) and then my phone (code sent via sms).
Is there any way to disable ideally both or at least the phone verification?
The only resource I found so far states that it's possible in B2C, which is not what we want.
The standalone email addresses has to undergo the invitation redemption process. In order to be able to invite people without redemption in Azure AD B2B you need an account with directory read permission of the partners tenant. Then you can add that user to your tenant with "Guest Inviter" role. Then that user can add the users to your tenant without invitation redemption process. Refer: Azure AD B2B: How to bulk add guest users without invitation redemption.
How to create invitation policy on Azure Active Directory and use it to send invitation to user for Business to Business (B2B) and Business to Consumer (B2C) in a web application? I use invitation API for Azure AD B2B to send invitation, but can't send when used in Azure AD B2C.
At this time, Azure AD's B2B collaboration feature and Azure AD B2C are not compatible. Azure AD B2C does not have any built-in invitation mechanism as it is tailored for self-service registration via the signup and signup/signin policies. There is an existing feedback request you can vote for: AADB2C: Send email invitation for new user to sign up.
You can implement this yourself by creating your own invitation UI. This UI would call the Azure AD graph to create the users.
You can then either:
Use the password reset policy as their first time experience since that sends an email to the user with a code. Note that you have very limited control over the look & contents of this email.
OR, create your own "redeeming" or "activation" mechanism, for example:
Ensure you set accountEnabled to false when creating the user.
Create an activation code/link and email that to the user (using SendGrid for example). You'll need to be able to associate that code/link to the user somewhere/somehow.
Once the user navigates to the link or uses the code, update the user via the Graph again to set its accountEnabled flag to true.
Note: this will only work for local users and not for social users.
We want to create an API App(Main purpose is to contact our organizations Office 365 Graph endpoint and send email) in Azure.. however our frontend website doesn't use Azure AD for the user authentication.. however we want our backend APi to be able send email in one of the following ways
1) send email as any user
2) send email on behalf of a service account
we are trying to explore the possible options and based on the investigation done so far, this(option 1) can be done using admin_consent - Can someone help with the steps we need to follow to create such app and deploy.
additionally is there a way to create an API app without login screen being prompted during the execution of the API - while using user_consent?
Option 1
In order for an app/daemon to send email as any user, it must have the send mail as any user app permission.
Give that permission on the Microsoft Graph API to the app, then grant the permission by clicking the Grant Permissions button in the portal, or by going through the admin consent flow.
Your API can then authenticate with its client credentials and get an access token to send email.
The bad side of this approach should be obvious, the app gets rights to send emails as anyone in your org.
Option 2
You could alternatively create an account for the API, and then use the Resource Owner Password grant flow to authenticate. You would then give the delegated permission for sending email as the signed in user.
The bad side of this is the flow for authenticating. If the account's password expires, there is no way for you to reset it from there, you would have to intervene to fix the problem.
Consent
You cannot go through consent without the browser UI.
We want to use Azure AD B2C to use clien/contractors to create and use their account but all accounts has to be validated due to some regulations requirements.
So once user create account we want to make sure it is valid account before user can access application with newly created account
In your policy configuration, you can select the "User is new" claim type in the Application claims section. The first time user access to your application, the claim will appear in the id_token and you can handle it to do custom process with the user. This is the only reference i found about this claim: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies