I have created Azure AD B2C Tenant and i have 3 members (users) contain in the Azure AD B2C Tenant, but my objective is to show the existing users in the tenent.
I have used the graph.microsoft.com and all the other methods to retrieve the existing users ( including Microsoft tutorials) but i cant retrieve and see the existing users.
Any help would be fine to figure out the way to do it , thanks in advance for your support.
It is a bit ambiguous but it is clear from the Azure AD B2C documentation that "you must use the Azure AD Graph API to manage users in an Azure AD B2C directory".
I have also experienced issues which getting a few properties, including any extension properties, for users in an Azure AD B2C directory using the Microsoft Graph API.
Related
We are working on a web application that requires two different types of users:
Administrators (mapped to Azure AD, SSO);
Customers (mapped to Azure AD B2C);
Customers log into the web application using their Azure AD B2C account. Administrators log into an administration UI area of the website using their Azure AD account. This part is fine.
However, one of the requirements is that the Administrators are able to impersonate the Customer, so that they can carry out certain tasks on-behalf of the customer e.g. place an order.
We'll be using OAuth (.NET package) for the authorisation. My question is two fold really:
1) Does OAuth support impersonation of other accounts?
2) If yes, is it even possible for an account in Azure AD to impersonate a user in Azure AD B2C - currently they are different directories with no visibility of one another.
Perhaps my questions are a little vague, we're looking for some pointers in the right direction.
Many thanks in advance
dotdev
You can build a flow which authenticates the Admin via the federated IdP (AAD), then presents them a B2C page which allows them to impersonate a B2C user: https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation. The policy should do some checks to make sure the AAD user is in some group who can impersonate, then present them a screen in B2C to provide the end users email. B2C will then finish the authentication by minting a token that is in the B2C users context.
Azure AD (regular/B2C) does not allow you to impersonate other users.
You can't really login as the user.
You will most likely have to build this functionality into your application, where the admin is allowed to choose a customer on whose behalf they are making the order.
I’m currently working on application built on ASP.NET MVC which uses Microsoft account (MSA) authentication. To implement a new requirement, during a flow (say on step 2) the application has to validate the user against Azure Active Directory (AAD) authentication for organization account (while MSA login should persist) to grant special privileges and move to step 3.
So during step 2 to 3 navigation, MSA authentication should not be logged out and user can be validated against AAD.
Is it possible to allow have concurrent logged-in via two different identity providers (MSA and AAD)?
It is not possible if you are suing Azure AD v1.0 endpoint. However, you can Azure AD v2.0 end point to implement. This document helps in Comparing the Azure AD v2.0 endpoint with v1.0 endpoint.
To build an app that accepts both personal Microsoft account (MSA), and work or school account (Azure AD) sign-in, you'll need to register an app with the Azure Active Directory (Azure AD) v2.0 endpoint. At this time, you won't be able to use any existing apps you may have with Azure AD or MSA - you'll need to create a brand new one. refer to this document to help on it - Quickstart: Register an app with the Azure Active Directory v2.0 endpoint.
You can also use Azure AD B2C and use custom policy to add MSA as Identity Provider. Refer to this document for details - Azure Active Directory B2C: Add Microsoft Account (MSA) as an identity provider using custom policies.
Does Microsoft Graph already have functionalities for Azure AD B2C User CRUD?
I found these related SO questions:
Which Graph API should be used with Azure AD B2C
Correct Graph API to manage Azure AD B2C
But both have answers that are dated 2017, so I am wondering if there are already updates from Microsoft that I am not aware of. I still have not find in my searches.
Below are the links I have found so far that seems to be conflicting each other (some of the links were also mentioned in the other questions).
In (D), it seems to offer options for User CRUD but I am not sure if it is just for Azure AD and not for Azure AD B2C.
Any help is appreciated. Thanks!
A. Azure AD B2C: Use the Azure AD Graph API (Date: 08/07/2017)
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
It says: You must use the Azure AD Graph API to manage users in an Azure AD B2C directory. This is different from the Microsoft Graph API. Learn more here.
B. Operations on users | Graph API reference (Last Updated: 2/12/2018)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
It says: We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
C. Microsoft Graph or Azure AD Graph (Date: July 8, 2016)
https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/
It says: In general, we recommend the use of Microsoft Graph over Azure AD Graph, as Microsoft Graph is where we are investing for Microsoft cloud services.
But then, it says at the bottom:
AAD Graph Capability | Status in Microsoft Graph (March 23, 2018)
12. Manage users in a B2C tenant (set local accounts, sign in names) | Coming soon (preview)
D. Microsoft Graph: User resource type
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/user
It list options to Create, Update and Delete user.
It is a bit ambiguous but I believe it is clear from the Azure AD B2C documentation that "you must use the Azure AD Graph API to manage users in an Azure AD B2C directory".
For example, according to the Microsoft Graph API documentation, you can't create a local account in an Azure AD B2C directory with a sign-in name.
I have also experienced issues which getting and setting a few properties, including any extension properties, for users in an Azure AD B2C directory using the Microsoft Graph API.
I'm building a web portal where my customers can log in - pretty standard stuff.
Now I would like my customers to log into the portal by using their "own credentials".
The optimal solution would be that users could use one of the following:
Office 365
If they have O365 then just sign in with their own credentials. This scenario is covered by the OOTB VS template
On-premise ADFS
If the customer has an on premise ADFS then they should be redirected to that to sign in. (I know this needs configuration for both parties, buts that's ok)
None of the above
The customer does not have any of the above and therefore need a "local account". In this case I would like to use Azure AD B2C to store the credentials.
I can do all of the above, but I have never tried to do it all together in one site.
Therefore, is it at all possible and how should I be constructed?
And how would the login experience be?
I'm using OWIN.
Any advice would be helpful.
Thanks!
When you say "local". you mean in AAD?
Azure B2C allows non-federated (i.e. don't use ADFS) users to provision and then authenticate themselves.
However, such users are "outside" of the normal authentication flow and cannot use ADFS or have O365 licenses.
In terms of ADFS and O365, you need to set:
Convert-MsolDomainToFederated
as in Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365.
In future Azure AD B2C will add the ability for users to login using their 'Work Accounts'. Those are the accounts used for O365. If the respective tenants have setup federation with Azure AD, ADFS federation will also work.
Meanwhile, the old work around for you to get it to work is to have your application
1. handle multiple tokens. [Azure AD, Azure AD B2C, ADFS or other federations] by implementing each federation to get the tokens.
2. implement the idp selection screen on the application and federate to appropriate party.
I have an ASP.NET MVC 4.6 application and I want to be able to use an application identity to provide access to the Azure Graph API behind the scenes, but I want to use Azure AD users for my applications authentication and authorization.
The end goal is to be able to have a user initially register using Google, Facebook, or enter their own username. During this registration, my application would leverage the Graph API to create an Azure AD user behind the scenes.
Once registered, if the user logs on using Google, Facebook, or their own username, it will look up against the Azure AD users to retrieve groups or roles.
Is this possible, or even a good idea? I'm open to other suggestions. Thanks!
This is possible. Azure AD recently released Azure AD B2C (business to consumer) to public preview. B2C will allow your users to sign up and sign in with consumer identity providers (e.g. Google, Facebook, etc.).
The sign up portion of this creates a special kind of user in Azure AD that has a reference to an identity in the consumer identity provider. The sign in portion of B2C allows users to authenticate with their corresponding identity provider, and that authentication is recognized in Azure AD.
The full documentation starts at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-overview/, and a ASP.NET MVC sample is at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/.
Alternatively, if you want to do you own, off the top of my head, the best you can do is to build a mechanism where you associate a "regular" Azure AD user with the corresponding social identity provider (e.g. maintain a lookup table). Your users would sign in to your app using each identity provider's protocol, and when they've done so, you "artificially" link them to the corresponding Azure AD users. From Azure AD's perspective, however, these users would not actually be authenticated, so at best, you'd be using Azure AD as a place to store users and groups.
Check out the new Azure B2C offering, in preview, which supports the exact scenario you are asking about out of the box.