Azure B2C - SSO - Teams
Morning everyone, I'm trying to understand the feasibility of an integration between: external website, Azure B2C, SSO and Microsoft Teams. The idea is the following: users land on website, where they register/auth via SSO offered by Azure on an external identity provider. Once their account is stored on the website ( and eventually on Azure B2C ), they should be able to login to Teams with the account they used to register/signin via SSO. I know that accounts inside a standard Azure Active Directory can access the same domain/tenant via Microsoft Teams. Can we do the same if the Directory is a B2C directory ? About the B2C & SSO, this is the setup: Azure B2C Directory Custom app registered into the Azure AD ( used to interact with Azure AD via Microsoft Graph API ) SSO using external identity providers ( like Google, Microsoft, Facebook, etc. etc. ) Let's say everything is already set up ( connections, user flow, policies, etc. etc. ). Now this is my sample flow: new (unknown for both system, Azure and owned system ) user lands on external login use choose login via one of the available identity provider let's say he will use google ( for example ) will insert google credentials email+password user will be authenticated via SSO offered by Azure B2C OIDC token and data is transfered to final endpoint configured by the application/user flow/policies Now what I don't get is : Does the B2C Directory register and store this user by itself once they register/signin via SSO? Is the SSO related somehow to the Azure Users or it is a simple SSO system offered via Azure? Since Teams allows login mainly from members under the domains list of the Azure Directory, how would be possible for a user with ( sample ) a google.com email to login into a custom Teams, related to the B2C Directory? Will be able the custom app, registered in the Azure B2C Directory, to access users via Microsoft Graph and eventually act "as user" via the SSO token using the Delegated permission I stared my study here : https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview but there's no precise explanation about how the process work underneath
How to prioritise one set of customers to book event.
I use a multi-bookings event published on my Microsoft bookings page for an exercise class. The number of spaces available are restricted and for the most part this works well. However, the multi-booking event is open to all my customers, and given event has restricted number of places, I would like my oldest customers who have been with me from the beginning to have priority or opportunity to book before all the rest. How can I achieve this? How do I give them (original customers) opportunity to book before everyone else? Would welcome any help of suggestions with this issue please! Thank you in advance.
Azure AD B2C Custom Policy REST Integration Error
Hello All, I am new to Azure and B2C. I was trying REST API integration as explained https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-validation I have followed the same steps but I am getting an error when I try to upload "SignUpOrSignin" policy file. Validation failed: 1 validation error(s) found in policy "B2C_1A_SIGNUP_SIGNIN" of tenant "****.onmicrosoft.com".Claim type "identityProvider" is the output claim of the relying party's technical profile, but it is not an output claim in any of the steps of user journey "SignUpOrSignIn". Please advise, I have tried all the options to fix this issue from rookie level. Following is the SignUpOrSignin Policy. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="****.onmicrosoft.com" PolicyId="B2C_1A_signup_signin" PublicPolicyUri="http://***.onmicrosoft.com/B2C_1A_signup_signin"> <BasePolicy> <TenantId>****.onmicrosoft.com</TenantId> <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId> </BasePolicy> <RelyingParty> <DefaultUserJourney ReferenceId="SignUpOrSignIn" /> <TechnicalProfile Id="PolicyProfile"> <DisplayName>PolicyProfile</DisplayName> <Protocol Name="OpenIdConnect" /> <OutputClaims> <OutputClaim ClaimTypeReferenceId="displayName" /> <OutputClaim ClaimTypeReferenceId="givenName" /> <OutputClaim ClaimTypeReferenceId="surname" /> <OutputClaim ClaimTypeReferenceId="email" /> <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/> <OutputClaim ClaimTypeReferenceId="identityProvider" /> <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /> <OutputClaim ClaimTypeReferenceId="promoCode" DefaultValue="" /> </OutputClaims> <SubjectNamingInfo ClaimType="sub" /> </TechnicalProfile> </RelyingParty> </TrustFrameworkPolicy> Following is myTrustFrameworkExtensions <?xml version="1.0" encoding="utf-8" ?> <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="***.onmicrosoft.com" PolicyId="B2C_1A_TrustFrameworkExtensions" PublicPolicyUri="http://***.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions"> <BasePolicy> <TenantId>****.onmicrosoft.com</TenantId> <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId> </BasePolicy> <BuildingBlocks> <ClaimsSchema> <ClaimType Id="loyaltyId"> <DisplayName>Your_loyalty_ID</DisplayName> <DataType>string</DataType> <UserInputType>TextBox</UserInputType> </ClaimType> <ClaimType Id="promoCode"> <DisplayName>Your_promo_code</DisplayName> <DataType>string</DataType> <UserInputType>TextBox</UserInputType> </ClaimType> <ClaimType Id="userLanguage"> <DisplayName>User_UI_language</DisplayName> <DataType>string</DataType> <UserInputType>TextBox</UserInputType> </ClaimType> </ClaimsSchema> </BuildingBlocks> <ClaimsProviders> <ClaimsProvider> <DisplayName>Local Account</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="LocalAccountSignUpWithLogonEmail"> <DisplayName>Local Account SignIn </DisplayName> <OutputClaims> <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true"/> <OutputClaim ClaimTypeReferenceId="newPassword" Required="true"/> <OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true"/> <OutputClaim ClaimTypeReferenceId="displayName"/> <OutputClaim ClaimTypeReferenceId="givenName"/> <OutputClaim ClaimTypeReferenceId="surName"/> <!-- Required to present the text box to collect the data from the user --> <OutputClaim ClaimTypeReferenceId="loyaltyId"/> <!-- Required to pass the promoCode returned from "REST-ValidateProfile" to subsequent orchestration steps and token issuance--> <OutputClaim ClaimTypeReferenceId="promoCode" /> </OutputClaims> <ValidationTechnicalProfiles> <ValidationTechnicalProfile ReferenceId="REST-ValidateProfile" /> </ValidationTechnicalProfiles> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> <ClaimsProvider> <DisplayName>Self Asserted</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="SelfAsserted-Social"> <DisplayName>Self Asserted Account SignIn </DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <InputClaims> <InputClaim ClaimTypeReferenceId="email" /> </InputClaims> <OutputClaims> <OutputClaim ClaimTypeReferenceId="email" /> <OutputClaim ClaimTypeReferenceId="displayName"/> <OutputClaim ClaimTypeReferenceId="givenName"/> <OutputClaim ClaimTypeReferenceId="surname"/> <!-- Required to present the text box to collect the data from the user --> <OutputClaim ClaimTypeReferenceId="loyaltyId"/> <!-- Required to pass the promoCode returned from "REST-ValidateProfile" to subsequent orchestration steps and token issuance--> <OutputClaim ClaimTypeReferenceId="promoCode" /> </OutputClaims> <ValidationTechnicalProfiles> <ValidationTechnicalProfile ReferenceId="REST-ValidateProfile"/> </ValidationTechnicalProfiles> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> <ClaimsProvider> <DisplayName>Facebook</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="Facebook-OAUTH"> <DisplayName>FaceBook Account SignIn </DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> <Item Key="client_id">facebook_clientid</Item> <Item Key="scope">email public_profile</Item> <Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item> </Metadata> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> <ClaimsProvider> <DisplayName>Local Account SignIn</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="login-NonInteractive"> <DisplayName>Local AD Account SignIn </DisplayName> <Metadata> <Item Key="client_id">e82ac191-cb22-4b40-a72b-c1cf5a461980</Item> <Item Key="IdTokenAudience">feb75f6c-4a7b-44a3-8dbb-1cc8c70727f5</Item> </Metadata> <InputClaims> <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="e82ac191-cb22-4b40-a72b-c1cf5a461980" /> <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="feb75f6c-4a7b-44a3-8dbb-1cc8c70727f5" /> </InputClaims> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> <ClaimsProvider> <DisplayName>REST APIs</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="REST-ValidateProfile"> <DisplayName>Check loyaltyId Azure Function web hook</DisplayName> <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> <Metadata> <Item Key="ServiceUrl">https://****.azurewebsites.net/api/Validate**?code=*******</Item> <Item Key="SendClaimsIn">Body</Item> <!-- Set AuthenticationType to Basic or ClientCertificate in production environments --> <Item Key="AuthenticationType">None</Item> <!-- REMOVE the following line in production environments --> <Item Key="AllowInsecureAuthInProduction">true</Item> </Metadata> <InputClaims> <!-- Claims sent to your REST API --> <InputClaim ClaimTypeReferenceId="loyaltyId" /> <InputClaim ClaimTypeReferenceId="email" /> <InputClaim ClaimTypeReferenceId="userLanguage" PartnerClaimType="lang" DefaultValue="{Culture:LCID}" /> </InputClaims> <OutputClaims> <!-- Claims parsed from your REST API --> <OutputClaim ClaimTypeReferenceId="promoCode" /> </OutputClaims> <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> </ClaimsProviders> <!--UserJourneys> </UserJourneys--> </TrustFrameworkPolicy> Nijo