Azure B2C - SSO - Teams

%3CLINGO-SUB%20id%3D%22lingo-sub-2048097%22%20slang%3D%22en-US%22%3EAzure%20B2C%20-%20SSO%20-%20Teams%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2048097%22%20slang%3D%22en-US%22%3E%3CP%3EMorning%20everyone%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20understand%20the%26nbsp%3Bfeasibility%20of%20an%20integration%20between%3A%3C%2FP%3E%3CP%3Eexternal%20website%2C%20Azure%20B2C%2C%20SSO%20and%20Microsoft%20Teams.%20The%20idea%20is%20the%20following%3A%20users%20land%20on%20website%2C%20where%20they%20register%2Fauth%20via%20SSO%20offered%20by%20Azure%20on%20an%20external%20identity%20provider.%20Once%20their%20account%20is%20stored%20on%20the%20website%20(%20and%20eventually%20on%20Azure%20B2C%20)%2C%20they%20should%20be%20able%20to%20login%20to%20Teams%20with%20the%20account%20they%20used%20to%20register%2Fsignin%20via%20SSO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20that%20accounts%20inside%20a%20standard%20Azure%20Active%20Directory%20can%20access%20the%20same%20domain%2Ftenant%20via%20Microsoft%20Teams.%3C%2FP%3E%3CUL%3E%3CLI%3ECan%20we%20do%20the%20same%20if%20the%20Directory%20is%20a%20B2C%20directory%20%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAbout%20the%20B2C%20%26amp%3B%20SSO%2C%20this%20is%20the%20setup%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAzure%20B2C%20Directory%3C%2FLI%3E%3CLI%3ECustom%20app%20registered%20into%20the%20Azure%20AD%20(%20used%20to%20interact%20with%20Azure%20AD%20via%20Microsoft%20Graph%20API%20)%3C%2FLI%3E%3CLI%3ESSO%20using%20external%20identity%20providers%20(%20like%20Google%2C%20Microsoft%2C%20Facebook%2C%20etc.%20etc.%20)%3C%2FLI%3E%3C%2FUL%3E%3CP%3ELet's%20say%20everything%20is%20already%20set%20up%20(%20connections%2C%20user%20flow%2C%20policies%2C%20etc.%20etc.%20).%20Now%20this%20is%20my%20sample%20flow%3A%3C%2FP%3E%3CUL%3E%3CLI%3Enew%20(unknown%20for%20both%20system%2C%20Azure%20and%20owned%20system%20)%20user%20lands%20on%20external%20login%3C%2FLI%3E%3CLI%3Euse%20choose%20login%20via%20one%20of%20the%20available%20identity%20provider%3C%2FLI%3E%3CLI%3Elet's%20say%20he%20will%20use%20google%20(%20for%20example%20)%3C%2FLI%3E%3CLI%3Ewill%20insert%20google%20credentials%20email%2Bpassword%3C%2FLI%3E%3CLI%3Euser%20will%20be%20authenticated%20via%20SSO%20offered%20by%20Azure%20B2C%3C%2FLI%3E%3CLI%3EOIDC%20token%20and%20data%20is%20transfered%20to%20final%20endpoint%20configured%20by%20the%20application%2Fuser%20flow%2Fpolicies%3C%2FLI%3E%3C%2FUL%3E%3CP%3ENow%20what%20I%20don't%20get%20is%20%3A%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EDoes%20the%20B2C%20Directory%20register%20and%20store%20this%20user%20by%20itself%20once%20they%20register%2Fsignin%20via%20SSO%3F%3C%2FLI%3E%3CLI%3EIs%20the%20SSO%20related%20somehow%20to%20the%20Azure%20Users%20or%20it%20is%20a%20simple%20SSO%20system%20offered%20via%20Azure%3F%3C%2FLI%3E%3CLI%3ESince%20Teams%20allows%20login%20mainly%20from%20members%20under%20the%20domains%20list%20of%20the%20Azure%20Directory%2C%20how%20would%20be%20possible%20for%20a%20user%20with%20(%20sample%20)%20a%20google.com%20email%20to%20login%20into%20a%20custom%20Teams%2C%20related%20to%20the%20B2C%20Directory%3F%3C%2FLI%3E%3CLI%3EWill%20be%20able%20the%20custom%20app%2C%20registered%20in%20the%20Azure%20B2C%20Directory%2C%20to%20access%20users%20via%20Microsoft%20Graph%20and%20eventually%20act%20%22as%20user%22%20via%20the%20SSO%20token%20using%20the%26nbsp%3BDelegated%20permission%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20stared%20my%20study%20here%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Foverview%3C%2FA%3E%26nbsp%3Bbut%20there's%20no%20precise%20explanation%20about%20how%20the%20process%20work%20underneath%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2048097%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EB2C%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Morning everyone,

I'm trying to understand the feasibility of an integration between:

external website, Azure B2C, SSO and Microsoft Teams. The idea is the following: users land on website, where they register/auth via SSO offered by Azure on an external identity provider. Once their account is stored on the website ( and eventually on Azure B2C ), they should be able to login to Teams with the account they used to register/signin via SSO.

 

I know that accounts inside a standard Azure Active Directory can access the same domain/tenant via Microsoft Teams.

  • Can we do the same if the Directory is a B2C directory ?

About the B2C & SSO, this is the setup:

  • Azure B2C Directory
  • Custom app registered into the Azure AD ( used to interact with Azure AD via Microsoft Graph API )
  • SSO using external identity providers ( like Google, Microsoft, Facebook, etc. etc. )

Let's say everything is already set up ( connections, user flow, policies, etc. etc. ). Now this is my sample flow:

  • new (unknown for both system, Azure and owned system ) user lands on external login
  • use choose login via one of the available identity provider
  • let's say he will use google ( for example )
  • will insert google credentials email+password
  • user will be authenticated via SSO offered by Azure B2C
  • OIDC token and data is transfered to final endpoint configured by the application/user flow/policies

Now what I don't get is : 

  • Does the B2C Directory register and store this user by itself once they register/signin via SSO?
  • Is the SSO related somehow to the Azure Users or it is a simple SSO system offered via Azure?
  • Since Teams allows login mainly from members under the domains list of the Azure Directory, how would be possible for a user with ( sample ) a google.com email to login into a custom Teams, related to the B2C Directory?
  • Will be able the custom app, registered in the Azure B2C Directory, to access users via Microsoft Graph and eventually act "as user" via the SSO token using the Delegated permission

I stared my study here : https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview but there's no precise explanation about how the process work underneath

0 Replies