Is there any way to migrate users info (username, password) from SQL DB to Azure AD B2C. In Azure AD there is way to migrate user credentials using AD Connect. But AD B2C does not supports AD Connect. Can you please help is there any other alternative ways to migrate users credentials?
You can do that using the Graph API. The exact way depends on whether you have access to the user's passwords, or just a one-way hash of them.
The steps necessary are documented in the AAD B2C User migration guide.
There is no existing tool for it like AD Connect. You have to develop your own, but the documentation has a sample app that you can use as a starting point.
Related
When creating ASP.NET Core web app, if you use Azure AD for authentication, is it possible to store user info in your app database? And if so, is there a best practice approach to doing this?
I'd like to store user role info in my app's database; I know you can use AD groups but
(a) I'd like to be able control this from within the app and
(b) I don't know if I have permissions to create new groups in my company's Azure AD.
yes, you can. After authentication with Azure AD, you can get userinfo from ID token if you are using OIDC. Then you can store the userinfo in your app's local database.
For (a), you wanna control user role in your app which used to edit in azure portal. Then you may take microsoft graph api user role into consideration. You may check the link if this api is what you need.
(b) create new groups, this can achieved by this api.
Calling microsoft graph api required an azure ad application which can be assigned api permission by admin, then it can be used to generate access token to call the api.
Federation identity are like sign up with Google, or sign up with Facebook. I want to migrate from Auth0 to Azure, but the problem is I can't find any proper documentation that explains what happen to those users who signed up using their Google or Facebook account.
There are good documentation for username and password users, but there is not anything special for federation identity users.
Does anyone know how to migrate them?
I have the same question for Amazon Cognito and other alternative services
This is not always straightforward, because some IdPs issue a different UUID per Application Registration. If you can re-use the exact same Application Registration at Facebook, for example, with AAD B2C, then this can be fairly easy.
There is an example here:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
All you need to do is pre-create the Local accounts in AAD B2C, and provide the expected UUID from the federated IdPs token to the Local account user object in AAD B2C. AAD B2C can then link the account when the user comes in with that Facebook account.
I am building an asp.net core web API project, with Angular client for front-end. We are using azure b2c as our IDP server, (for registration, authentication and related topics). So far the experience is great.
The issue we are having right now, is that we are trying to add 'admin' role to some of our users, who will be allowed to reach some endpoints of our web API, and do some operations that normal users won't be allowed to.
Since we are using asp.net5 web API for our back-end, in a normal environment, this would be done through [Authorize (Role = "Admin")] attribute, however in Azure b2c it seems not a straight forward thing to do.
Right now, we need 2 types of user roles: User role and Admin role.
Anyone knows how to add user roles in a azure b2c app, and then protect the back-end API endpoints for those roles?
Thank you!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" or "User consent for API Scopes".
These are the ways to implement RBAC using Azure AD B2C.
Here's the context :
I have currently a Corporate Azure AD tenant (Teams, ...) and created a B2C tenant dedicated to my customers which I plan to use for my website authentication.
I guess It is the purpose of the "multi-tenant" option when registering the app but I wonder If I can limit only to the two tenants I own and not opening my website to anyone which has a Microsoft account (for what I understand reading the Microsoft documentation).
If anyone which had already set up a similar authentication process can guide me maybe or just give me some tips to do website authentication by checking if the user account is valid in one of the two tenants ?
Thank you in advance and feel free to ask if you need any more information (maybe I wasn't clear enough).
In Azure AD B2C using custom policies you can set up sign-in for Multi-tenant Azure AD which allows users from multiple Azure AD tenants to sign in, without you having to configure an identity provider for each tenant.
In the custom policy using https://login.microsoftonline.com/ as the value for ValidTokenIssuerPrefixes you can restrict access to specific list of Azure AD tenant users who can sign in.
Please refer the above mentioned document on how to sent up the configuration, as you can see in the add claim provider section how to configure multiple organizations/Tenants with the comma separator.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
Please refer documentation and samples which helps you in getting started with custom policies
I am working as a tester on a new Web Application that uses Azure B2C, And I am looking for the appropriate approach to handle this project. Please suggest me some ideas
It's the same approach as testing any Azure AD application.
Test all the profiles e.g. sign up / sign-in / reset password.
For any API secured by B2C, use automated testing and use the Resource Owner Password flow for the credentials.