Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure Active Directory B2C user signup without redirect (non interactive)

Tags:

azure-active-directory

azure-ad-graph-api

azure-ad-b2c

I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.

I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)

like image 778
bismuth Avatar asked Feb 07 '17 19:02

bismuth

1 Answers

Can you create users from an iOS app? Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.

However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.

However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.

Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No

Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.

like image 62
Saca Avatar answered Sep 22 '22 14:09

Saca
Sign in to Comment

Related questions

AzCopy authenticate: Selected user account does not exist in tenant
How to get client secret from existing Azure service principal
MVC to Authenticate against Office 365 AD
Azure Active Directory Application Key Renewal
ADAL authentication without dialog box prompt
How to use both internal Forms authenticationas well as Azure AD authentication
How can I tell when a Azure AD client secret expires?
AADSTS50058: A silent sign-in request was sent but no user is signed in
How to allow non-admin users to authenticate via OAuth2.0 for tenants where users are not allowed to consent apps on their behalf?
Azure AD v2 roles not included in Access Token
AD Directory Programming with Azure Active Directory
WAAD Authentication with WebAPI OData service consumed by Excel PowerQuery
'authority' should be in Uri format Parameter name: authority
Azure AD appending '#EXT#' to UserPrincipalName
netcore with azure ad using oidc and the browser back button after sign in causing exceptions
Azure Active Directory application and service principals
How do install AzureAD PowerShell module
Azure ADAL Refresh id_token
X-Frame-Option DENY error when AAD sign-in in office add-in
Azure Active Directory - Access Denied in New Portal

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!