Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure AD B2C integrating with corporate (Azure?) AD accounts

We would like to use Azure AD B2C for our web applications to allow users to sign in either with a 'local' account/password or use their social accounts (Facebook, etc). https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview

However, in this application, we are likely to be targeting organisations, so we would also like to integrate with a company's existing Azure AD corporate accounts. That way the user doesn't have to create a new account and can use their existing corporate account.

It turns out that there is a (new) feature within Azure AD B2C which allows you to explicitly link to an external Azure AD account by using a custom policy as described here: https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Unfortunately, this only works if we know in advance which external companies we need to link with and add in specific configuration. It also leaks information about who is using the app, because the company names become listed as options on the sign-in page.

I've also looked at the Azure AD B2B features, but I don't think that this fits properly either.

What we'd really like is for Azure AD B2C to offer a generic sign in to a (corporate) Microsoft account', which detects whether that email address is already handled within any Azure AD systems; if it is, it then delegates authentication to that system, but if not, it will fall back to an Azure AD B2C local account.

This generic login already works for access to standard Microsoft apps, such as their portals. Does anyone know if this is possible within Azure AD B2C, or have any potential timescale for when it may become possible? Are there any alternate systems which may be able to offer similar functionality?

like image 573
Conor O'Neill Avatar asked Aug 04 '17 14:08

Conor O'Neill


People also ask

What is the difference between Azure AD and Azure AD B2C?

Azure AD is Microsoft's solution for managing employee access to SaaS apps and it has features designed for this purpose such as licensing and Conditional Access. Azure AD B2C provides an identity and access management platform for building web and mobile applications.

Is it possible to manage external partners using business to customer B2C feature Azure AD?

Is it possible to manage external partner using the "Business-to-Customer (B2C)" feature of Azure AD? No - Microsoft Azure has an identity service known as Microsoft Azure Active Directory.

Can you have 2 Azure AD Connect?

Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects.


1 Answers

What you are referring to is having Azure AD in multi-tenant mode, added as an identity provider to Azure AD B2C.

From: Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies

In order to support multi-tenant Azure AD, you'll need to configure your ClaimsProvider in the custom policy with different values.

Use the values below, making sure you replace with client_id and IdTokenAudience.

<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
<Item Key="client_id">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">id_token</Item>
<Item Key="IdTokenAudience">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>

CAUTION: This functionality isn't officially even in preview yet, so use with caution. Keep monitoring the official "Sign in by using Azure AD accounts" documentation to see when this is fully documented and supported.

EDIT: Make sure you flip the Multi-tenanted switch in the App's settings, otherwise you'll get the following error:

AADSTS70001: Application with identifier '(guid)' was not found in the directory (our company's primary domain)

like image 70
Saca Avatar answered Oct 11 '22 21:10

Saca