5

My use case is:

  • Create users via API with custom fields, nominated password using any email address
  • Update/disable those users via API
  • 'Sign in' to Azure AD app with user details via rest API to obtain token
  • Make authorised requests to Web API when token passed in Http header

Can all of this be achieved with straight Azure AD/B2C or should I be looking at some other identity provider e.g. IdentityServer/Auth0?

Edit 1

I'm getting very confused between AAD apps/users and B2C apps/users, there is very little guidance on what to use in this case.

Using https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet as a starting point I get the following results when plugging in the client id and secret from:

  • Azure AD - Application Type Web app/ Api - works, can create user
  • Azure AD - Application Type Native - does not work, cannot create user
  • Azure B2C - Application created in Powershell as per link - works, can create user, however I can't see the newly created application in the Azure Portal, and can't make changes.
  • Azure B2C - Application created in B2C UI - does not work, request to Graph Api fails with 'insufficient permissions'. I added the read/write permissions manually in Powershell but this did not work.

At this point I don't know what is the correct approach for my scenario.

Matt Rowett
  • 266
  • 1
  • 18

1 Answers1

1

If you want to add local accounts in Azure AD B2C , you could use Azure AD Graph API to achieve that , to add a local account user to an Azure Active Directory B2C tenant, see Create a user (local account) api document .

If you want to add social accounts such as Facebook and Google , you need to check whether these identity provides provide the REST APIs to manage their users.

Edit

For connecting to the Graph API, currently you need to setup another app in Azure AD(not in azure ad b2c blade) :

enter image description here In that app you could set app key and grant permissions to use the Azure AD Graph API .Another way is using powershell service principal and attach the 3 Graph API permissions:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

After user sign in the B2C app , when calling the graph api , you could use ADAL v2 or v3 in order to get access tokens which can be used with the Azure AD Graph API(using client credential flow). Please refer to code sample in above link .

If you want to restrict uses who can create users with Graph api , you could write your own logic in app to control that .

Update :

B2C app(which create in b2c blade) could help you sign-in and sign-up users , but B2C app can't access the APIs currently(in preview , but can't select any api in my portal) , so you need to use a AD app(in azure ad blade) , which could grant permission to access other APIs like Microsoft Graph API. When follow link :https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ,in article he creates a ServicePrincipal not a app , so you couldn't find the app , Please click here for more details about Application and service principal objects in Azure Active Directory

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • Thanks, for clarity am I able to do the same thing with Azure AD and not use B2C? And then can I use those user details to obtain a token valid for AD Applications? – Matt Rowett Apr 09 '17 at 08:52
  • Also, would the token be valid for Azure B2C 'applications'? Are AD and B2C applications the same thing? – Matt Rowett Apr 09 '17 at 11:11
  • Yes, you could use AAD graph api to create work or school account in azure ad and local account in azure ad b2c . Applications that can be integrated with Azure AD / Azure AD B2C to provide secure sign in and authorization for their services. Applications are the same concept in azure ad and azure ad b2c. – Nan Yu Apr 11 '17 at 01:35
  • The Application settings in AAD and B2C are very different.In B2C there is no 'Managed Application in Local Directory' link, where I should be able to assign users to the application. How do I assign users to a B2C application? – Matt Rowett Apr 11 '17 at 12:43
  • There is also no apparent way to assign the relevant permissions (such as create/update users) to a B2C application as is possible with an AAD application. – Matt Rowett Apr 11 '17 at 16:27
  • @MattRowett ,i have edited my reply to answer your question , please check that . – Nan Yu Apr 12 '17 at 03:11
  • 1
    I have to say this is way more painful than it should be. All I want to do is: 1, Create a user with custom fields 2, obtain token using users credentials 3, access a secure api with that token. Are there any simple, complete examples anywhere? – Matt Rowett Apr 12 '17 at 16:02
  • Since b2c app access api feature is currently in preview , i am afraid that you need to register another app which could be used to access api . Refer to [this link](https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet) will help you build that. – Nan Yu Apr 13 '17 at 09:36
  • Do I need to create the B2C object in Poweshell as per the document as a ServicePrincipal or should I be creating it as a B2C application in the UI so that I can use properties like App Uri Id? The B2C app method is failing when creating users - insufficient permissions. – Matt Rowett Apr 14 '17 at 09:21
  • You need a B2C application created in UI(in b2c blade) to let user sign-in and sign-up , then add a ServicePrincipal as per the document to enable accessing the api . – Nan Yu Apr 14 '17 at 09:24
  • OK,I created a new B2C application (not native), generated a new App key and attempted to create a new user using the B2CClient sample - I get an 'insufficient permissions' error. Should I be using the AppPrincipalId and secret from the Powershell created ServicePrincipal instead? If so what is the purpose of the UI B2C app? – Matt Rowett Apr 14 '17 at 10:38
  • Do I need to somehow connect the UI app and the Powershell ServicePrincipal? – Matt Rowett Apr 14 '17 at 10:45
  • You need one B2C app ,in that app , you want to access graph api to create users ,but b2c app can't access apis currently , so you need another azure ad app (or ServicePrincipal created in powershell as document shown) , you could use that app identity to access api (set permission to apis in azure ad portal ) .Hope you understand . – Nan Yu Apr 17 '17 at 01:25
  • If I create a B2C app in the B2C blade, I can't create users using the Id & secret. – Matt Rowett Apr 18 '17 at 09:39
  • You want to use graph api to create users ? If yes , you need another azure ad app ,since B2C app can't access graph api currently . – Nan Yu Apr 19 '17 at 01:15