Integrate external azure Active Directory in to ADB2C

Question

I have a requirement to integrate multiple external azure active directories into my application(multitenant). Currently I'm using AD B2C. In brief any client purchases my product, should be able to integrate their organization azure active directory with my application and those AD users should be able to login to application without signing up.

One of the approaches i was trying was to validate external azure active directory users by asking client to create applications in their AD for authentication and authorization. But it seems to be a bit tricky since we already have applications created inside B2C tenant we use and securing API with application in B2C Tenant. With having multiple AD s api will need to be secured with multiple ids.How to do this?
second approach was to read the external azure active directory users using graph api and invite them as guest users. But here any of the guest users created couldn't sign into the application even after changing "guest" to "member" User type. Any idea in implementing this?

UPDATE I did all the steps as in https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom but when i try to login using one of my Azure AD Account after entering the credentials it navigates me to a B2C signup page.That is because i don't have that AD account in my B2C tenant. After doing the signup only i will be able to login to the application and get the token. And the AD user is created in our B2C Tenant with the source

Federated Azure Active Directory

Is there anyway to get rid of navigating to signup page after entering credentials and instead login to the application with the tokens at once so that the user will not be created in our B2C Tenant and validate user from client's Azure AD

Did you look into AAD B2B? It may be better suited to your problem. — Vic, Aug 12 '19 at 16:58
@Vic Yeah i had a look. But i need to have B2C functionality as well. Thanks for the reply :) — SINFER, Aug 13 '19 at 05:51
Just a note - adding users via the B2C portal or via the guest mechanism is for B2C admin users i.e. users that can log into the portal. If you want users e.g. customers that can sign into a B2C application, they must either self-register or be added via the Graph API. — rbrayb, Aug 19 '19 at 19:59

score 1 · Accepted Answer · edited Aug 17 '19 at 03:52

1

You are better off federating AAD B2C with the Azure AD Common endpoint. This allows a single option for any user with an O365 account to login to your service from any Azure AD Tenant.

You can then whitelist tenants such that only your clients' Azure AD accounts are able to login via this single option. Clients only need to provide their TenantId to you.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom

<!-- The key below allows you to specify each of the Azure AD tenants
 that can be used to sign in. Update the GUIDs below for each tenant. -->
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/00000000-0000-0000-0000-000000000000,https://sts.windows.net/11111111-1111-1111-1111-111111111111</Item>

edited Aug 17 '19 at 03:52

spottedmahn

14,823
13
108
178

answered Aug 12 '19 at 16:31

Jas Suri - MSFT

10,605
2
10
20

thought of contributing with my answer below but I'm sure you know this stuff way better :-D – Nikolai Aug 12 '19 at 16:33
@Jas Suri This is something i never came up with. Thanks will let you know if it helped :) – SINFER Aug 13 '19 at 05:52
@Jas Suri i did all these steps but when i try to login using one of my Azure AD Account after entering the credentials it navigates me to a B2C signup page. after doing the signup only i will login to the application and get the token. And the AD user is created in out B2C Tenant with the source "Federated Azure Active Directory". Is there anyway to get rid of navigating to signup page after entering credentials and instead login to the application with the tokens at once? – SINFER Aug 19 '19 at 10:53
1

In the userjourney section, remove the orchestration step which references: TechnicalProfileReferenceId="SelfAsserted-Social". That step (step 4 in the unmodified SocialAndLocal starter pack) will invoke a B2C page which asks the user for a DisplayName etc after logging in with an external IdP. – Jas Suri - MSFT Aug 19 '19 at 11:54
@JasSuri if i remove this orchestration step will this affect even for the new clients that are signing up using local accounts rather than External Azure AD accounts? – SINFER Aug 20 '19 at 05:54
1

it wont effect normal sign ups, since this step only triggers for externally authenticated users. For a sign up, you would have an objectId by step 2, so step 4 is always skipped for them. Hence removing it has no impact on the local signups. – Jas Suri - MSFT Aug 20 '19 at 10:03
@JasSuri so i guess then clients signing up from facebook google will be effected with having no signup page to collect additional information. Is there anyway to remove signup step only for the AAD login? – SINFER Aug 20 '19 at 12:16
1

Ah yes thats correct. For each external idp Technical profile, there is an output claim called authenticationSource. It is set as a static default value for each idp (up to you to decide the string value). You can use this inside the step 4 precondition such that the step is skipped if the authenticationSource = AzureAD. This way, for any new sign up that is not AzureAD Auth but external auth, eg Facebook/Google.. the step will still trigger. https://learn.microsoft.com/en-us/azure/active-directory-b2c/userjourneys#preconditions – Jas Suri - MSFT Aug 20 '19 at 14:42
@JasSuri Thanks Jas will try that out. Many thanks :) – SINFER Aug 21 '19 at 07:01
@JasSuri skipping the orchestration step 4 ends up by giving an error " Error has been occurred please try contactting Administrator" – SINFER Feb 06 '20 at 05:53

score 0 · Answer 2 · answered Aug 12 '19 at 16:32

Creating separate B2C tenants for individual organizations could be a solution.

You will integrate each Azure AD tenant with the on-premises AD of the organization. In order to sync both ADs you will need to use Azure AD Connect

(more information here on MSDN: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad#azure-ad-connect-sync-service)

Once ADs are synced your web app will request access and id tokens for individual B2C tenant.

For more information on how to run various user journeys using OIDC read here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc

I want to have single b2c tenant but multiple AAD tenants need to be integrated with application. No need to setup one b2c tenant per client. Thanks for your time :) — SINFER, Aug 13 '19 at 05:56

Integrate external azure Active Directory in to ADB2C

2 Answers2