Login/Register
Azure AD B2C integrating with corporate (Azure?) AD accounts
Asked Answered
Solved azureazure-active-directoryazure-ad-b2cazure-ad-b2b
C

2

10

We would like to use Azure AD B2C for our web applications to allow users to sign in either with a 'local' account/password or use their social accounts (Facebook, etc). https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview

However, in this application, we are likely to be targeting organisations, so we would also like to integrate with a company's existing Azure AD corporate accounts. That way the user doesn't have to create a new account and can use their existing corporate account.

It turns out that there is a (new) feature within Azure AD B2C which allows you to explicitly link to an external Azure AD account by using a custom policy as described here: https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Unfortunately, this only works if we know in advance which external companies we need to link with and add in specific configuration. It also leaks information about who is using the app, because the company names become listed as options on the sign-in page.

I've also looked at the Azure AD B2B features, but I don't think that this fits properly either.

What we'd really like is for Azure AD B2C to offer a generic sign in to a (corporate) Microsoft account', which detects whether that email address is already handled within any Azure AD systems; if it is, it then delegates authentication to that system, but if not, it will fall back to an Azure AD B2C local account.

This generic login already works for access to standard Microsoft apps, such as their portals. Does anyone know if this is possible within Azure AD B2C, or have any potential timescale for when it may become possible? Are there any alternate systems which may be able to offer similar functionality?

Corrugation answered 4/8, 2017 at 14:9 Comment(0)
T
5

What you are referring to is having Azure AD in multi-tenant mode, added as an identity provider to Azure AD B2C.

From: Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies

In order to support multi-tenant Azure AD, you'll need to configure your ClaimsProvider in the custom policy with different values.

Use the values below, making sure you replace with client_id and IdTokenAudience.

<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
<Item Key="client_id">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">id_token</Item>
<Item Key="IdTokenAudience">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>

CAUTION: This functionality isn't officially even in preview yet, so use with caution. Keep monitoring the official "Sign in by using Azure AD accounts" documentation to see when this is fully documented and supported.

EDIT: Make sure you flip the Multi-tenanted switch in the App's settings, otherwise you'll get the following error:

AADSTS70001: Application with identifier '(guid)' was not found in the directory (our company's primary domain)

Teteak answered 4/8, 2017 at 20:39 Comment(4)
Unfortunately, this doesn't seem to work. I get "Sorry, but we’re having trouble with signing you in. We've received a bad request." I've used the same client_id and idTokenAudience as I'd used for a specific tenant. Is there anything else I should have configured?Alejandro
Digging further, this specifies an error: "AADSTS70001: Application with identifier '(guid)' was not found in the directory (our company's primary domain)". During this testing, we are not referencing the primary domain at all. I'm trying all this with a test tenant for the Azure B2C, and another test tenant for the user I'm logging in. How/why does this connect with our primary domain? Can we force a disconnect here. In fact, what client_id should we be using here, because obviously we can't add our app to every target tenant's AD as a client.Alejandro
Sounds like you didn't flip the "Multi-tenanted" switch inthe Azure AD app you are using in this claims provider.Teteak
Yes, that fixed it. Thank you very much. This now appears to be working.Alejandro
G
1

Azure AD B2C does not officially support a multi-tenant Azure AD identity provider. You should vote for the feature here so it can help prioritize it and so that you can be contacted when the feature is in preview.

There is a potential workaround if you have a limited set of Azure AD tenants that you work with. You could build a page in your app where the user types in the email address. Based on the email address, you can use the domain_hint parameter when calling Azure AD B2C to redirect them directly to the right sign-in page.

Gabby answered 4/8, 2017 at 20:43 Comment(4)
So what is solution if you want to have your web app that is for internal company users (normal AD) but also needs to authenticate other users outside company (other Azure AD tenants, and Microsoft accounts, and Facebook accounts etc.) ?Tonita
What do you mean that it's an internal app that external users can also use? If you want to build a CUSTOMER app that both your employees and customers can log into, you should use an Azure AD B2C tenant and add Azure AD as an IdP. However, if this is an app used by employees and company partners to collaborate on work, then you should use Azure AD and look into Azure AD B2BGabby
OK, thank you. However if I want to enable that customers can login with their Azure AD, and I have unlimited customers / organizations, I can not manually add each of them as provider manually. Needed functionality like in Azure AD - multi tenant app...Tonita
I agree with Parakh. You should keep your customer and internal applications/users separate. Follow the lead set by Microsoft. They probably decided to offer AAD and B2C as separate services for a reason ;) If you absolutely must; you could default to customer login and either customize the login page to include a link for internals to access the AAD login page instead of B2C. Better yet, have a separate page dedicated to internal AAD that redirects to AAD login. ie. /login -> B2C login & /internal -> AAD loginMamey

© 2022 - 2024 — McMap. All rights reserved.