Menu
I have this scenario where we have to authenticate corporate users via Azure AD, but the external users via Azure AD B2C - all from the same login screen.
There are a few web applications which will share this capability. The applications come from various technology stacks, ranging from .Net to Java-Spring + Angular 2.
What is your recommended approach for this? Apologies, if this question has already been asked and answered, but couldn't find much guidance on this. Will MSAL library solve this? Besides, there aren't any MSAL implementation for Java yet. Will Azure AD B2C Premium support this?
Thanks in advance for your help!
938
Azure AD is Microsoft's solution for managing employee access to SaaS apps and it has features designed for this purpose such as licensing and Conditional Access. Azure AD B2C provides an identity and access management platform for building web and mobile applications.
Available verification methods The following additional forms of verification can be used with Azure AD Multi-Factor Authentication: Microsoft Authenticator app. Windows Hello for Business. FIDO2 security key.
Hybrid Azure AD Joined – The Windows 365 Cloud PC Joined to on-premises AD, and Azure AD requires an organizational account to sign in to the Cloud PCs. Azure AD joined – The Windows 365 Cloud PC Joined only to Azure AD requiring an organizational account to sign in to the Cloud PCs.
At this time your only option is to implement support for both Azure AD & Azure AD B2C independently in your applications. You must ask the user to select between the two identity providers, and then invoke the correct one.
There are plans to add support for Azure AD org users as an identity provider in Azure AD B2C, at which point two integrations will not be necessary. However that capability isn't in the near future.
I slapped together a bit of guidance on how to support both in a .NET application, perhaps that will get you on the right track: https://github.com/dstrockis/AAD-B2C-Hybrid
173
To use the Azure AD for corporate users login and Azure B2C for external users you need to Configure the following
Step 1 - Configure Identity providers If you are using the Identity Experience Framework policy
OpenIdConnect Protocol for Corporate user Authenticationlogin-NonInteractive TechnicalProfile for External user Authentication<ClaimsProviderSelections> under <UserJourneys> --> <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signupsignin">
Example:
<ClaimsProviderSelections>
<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
<ClaimsProviderSelection TargetClaimsExchangeId="AADExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
</ClaimsExchanges>
</OrchestrationStep>
If you are using User flows then you need to configure the following
OpenID Connect provider in Identity Providers of Azure AD B2CEmail Signin under Local Accounts for External user authenticationOpenID Connect provider for the Corporate User AuthenticationStep 2 - Create a App registration
Step 3 - Configure the Redirect URIs for the app created in App Registration to your Application URL's
Step 4 - When you test the policy, you will be presented with 2 options, username and password for the External user authentication where the user use the username and password configured for them in Azure AD B2C and the second option is a Link at the bottom off the signin page to login with Azure AD. When users click on this link, they will be taken to the Azure AD Login page for authentication.
Refer to the below link for more detailed configuration steps
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant-custom?tabs=app-reg-ga
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
