Cross-tenant synchronization (Private mode)
Cross-tenant synchronization enables you to automate provisioning identities across tenants in your organization and simplify collaboration within your organization. In addition, automate removing accounts when users don't need access and keep accounts synchronized across tenants. This feature will not appear on all tenants until Microsoft releases it as preview.
Unable to update tenant properties
Hello! Is it possible to change the tenant name (not the domain name) in an Azure AD B2C Tenant? I have attempted the following steps: https://learn.microsoft.com/en-us/answers/questions/649444/azure-ad-b2c-change-organization-name Besides the aforementioned procedures, I have established a local administrator account (with global administrative privileges); nonetheless, I have encountered an identical outcome." Thank you for your time and assistance. Have a great day! 🙂Azure AD B2C authorization code and refresh token size increase update
Update September 11, 2023: This post is irrelevant anymore As part of ongoing security improvement efforts in Azure Active Directory (AAD), part of Microsoft Entra, Azure AD B2C will be rolling out a format change that increases the size of OAuth 2.0 (and OpenID Connect) authorization code and refresh tokens returned to your application.  If your application is configured to accept the OAuth2 authorization code as query string parameter or URL fragment, this change might impact users in the following scenarios:  Users with old web browsers such as internet explorer may exceed the URL length limit. If your application runs on web servers, behind firewalls or reverse proxies with low URL length limits or configuration.     The OAuth2 (and OpenID Connect) protocol specifies three response modes which specify how the authorization code is returned to your application. With the query and fragment mode the authorization code is returned as a query parameter or fragment of the URL. In the form_post mode, response parameters will be encoded as HTML form values that are transmitted via the HTTP POST method and encoded in the body. For information, check out the OAuth 2.0 authorization code flow in Azure Active Directory B2C article. To mitigate URL lengths issues: For web applications, we recommend using OAuth2 response_mode set to form_post, to ensure the most secure transfer of tokens to your application. For single page application with authorization code flow and PKCE, reduce the number of claims omitted to your application. In the user flows, and custom policies remove claims that are unnecessary for your app. You can use the user info endpoint to return claims about the authenticated user. This will minimize the size of the authorization code and the refresh token. This change should not affect device-installed apps, such as mobile and desktop apps. The change also impacts the size of the refresh token. MSAL library caches a token after it has been acquired. For web applications with in-memory cache, or a distributed token cache, make sure your cache system can handle the size of the refresh token, or reduce the size of the refresh token as described in the previous section. Yoel
Group Based Assignment in Azure AD B2C
Hi, according to this comparison you can't use the groups from the underlying Azure AD tenant to manage access of customers to applications. Apparently you can't define app roles and then assign groups to applications and put customers into groups. https://learn.microsoft.com/en-us/azure/active-directory-b2c/supported-azure-ad-features However, I was able to do this. While the famililar "Application Roles" menu isn't available I can just define a role directly in the manifest. I was able to assign a group to an application with the role I defined in the manifest: POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='/:client_id/')/appRoleAssignedTo I was able to take an account that was created via a custom policy execution and put it into that group. While you can't easily configure the token as you would with regular Azure AD P2 and include the groups and roles, it was trivial to write an Azure Function that using the user object ID and client_ID derived the assigned roles and groups by overlapping the /memberOf groups of the user and the /appRoleAssignments of the servicePrincipal. It simply gets called in the custom policy and in case the customer is not assigned I send a custom OAuth 2.0 error (access_denied) instead of the claims with the groups and roles included. While it is a workaround obviously and I need to consider rate limits when my policy does Graph API calls via an Azure Functions on sign in, I think it should work out just fine for our scenario. Anything speaks against doing this or am I risking that this functionality gets removed as it's not intended to be possible? Role based access via groups is the best thing about Azure AD and it should be a feature in Azure AD B2C anyway if you ask me. Otherwise you're not able to handle lots of customer facing applications with different customer segments by different business units.
Allowing an external org to access my application (registered in azure ad) with their credentials?
Hi all, I have created a single tenant application that works well for my organisation, however I need to add another organisation (external) to be able to use my application. The organisation that I want to add has an Azure AD. Hence my goal is to enable for people from the 2nd organisation to be able to sign into my app without needing to register. How am I suppose to go about this? I've looked into the "app registrations" page but have not seen such ability and I've looked online to find a solution to this problem to no avail. I'm aware I will need to change the application to "multi-tenant" and also change the urls from tenant specific to /common. However, I have no idea how to go about enabling a specific organisation to be able to access my application (while not allowing other orgs) and use my app after signing on using their microsoft org credentials without registration. I'm looking for suggestions on how I should go about this, or a resource I can use to do this as I'm a bit lost on how to do this - still a bit of a noobie with Azure AD. Appreciate any help! Thanks,
Query on Azure AD B2C licensing and features
Hello, Wondering whether I could get some assistance / feedback from the forum to the queries related to Azure AD B2C licensing and features. B2C linked to P1 subscription level, but Azure AD blade displays "Azure AD Free" Azure AD B2C Tenant is linked to subscription with P1 pricing tier. However, Azure AD Tenant blade lists AD Tenant License as "Azure AD Free". https://azure.microsoft.com/en-us/support/legal/sla/active-directory/v1_1/ Must we also procure few Azure AD P1 license for B2C tenant in additional to the B2C P1 subscription to ensure AD tenant SLA and overcoming 50k object limit ? License for organization employees accessing B2C apps https://azure.microsoft.com/en-us/pricing/details/active-directory/external-identities/ - the MAU pricing for P1 subscription is applicable only for external users. All organization employees need a P1 license. Is this clause also applicable to B2C tenant or is it relevant only for B2B tenant ? Suppose that few organization employees like technical support admins also need to access Apps in B2C tenant - this can be facilitated by creating OIDC identity provider in B2C tenant to federate to organization Azure AD B2B tenant for authentication of employees. Do these organization users users need additional P1 license for B2C tenant ? Are the organization users also counted towards the MAU P1 subscription just like external users in case of B2C scenario ? AD Group feature capability for B2C tenant https://docs.microsoft.com/en-us/azure/active-directory-b2c/tenant-management#supported-azure-ad-features "Consumer accounts can not be member of any group." Currently we are able to add B2C consumer accounts as member or owner of Azure AD security groups. For instance: One could use group membership with custom sign-in / sign-up policy - user shall be added to "App Group" when user is signed up by App, and only "App Group" members shall be able to signin to App. Is this the case of documentation not up to date ? Or is the intended group usage one of unsupported features in B2C tenant. Regards, MehulBoolean in custom policy give invalid type error
I've created a custom policy where I defined following Claim: <ClaimType Id="extension_eula"> <DisplayName>Accept Eula</DisplayName> <DataType>boolean</DataType> <UserHelpText>Accept the EULA to proceed with the setup</UserHelpText> <UserInputType>RadioSingleSelect</UserInputType> <Restriction> <Enumeration Text="Yes" Value="True" SelectByDefault="false" /> </Restriction> </ClaimType> When I click on the radio button to accept the EULA it gives me following error in Application Insights: { "Key": "Exception", "Value": { "Kind": "Handled", "HResult": "80131500", "Message": "An error occurred while writing User claims using identifier claim type \"signInNames.emailAddress\" in tenant \"o365testb2c.onmicrosoft.com\". Error returned was 400/Request_BadRequest: Invalid type for property 'extension_e3eeb4aa7a9f45a69369564e0996ea00_eula' specified. Expected type '[extension_e3eeb4aa7a9f45a69369564e0996ea00_eula, True]'.", "Data": { "IsPolicySpecificError": false, "TenantId": "o365testb2c.onmicrosoft.com", "PolicyId": "B2C_1A_SignUpSignInO365TestB2C" }, "Exception": { "Kind": "Handled", "HResult": "80131509", "Message": "The remote server returned an error: (400) Bad Request.", "Data": { "cpim_webResponse_string": "{\"odata.error\":{\"code\":\"Request_BadRequest\",\"message\":{\"lang\":\"en\",\"value\":\"Invalid type for property 'extension_e3eeb4aa7a9f45a69369564e0996ea00_eula' specified. Expected type '[extension_e3eeb4aa7a9f45a69369564e0996ea00_eula, True]'.\"},\"requestId\":\"6ee502cc-16c7-4c17-8ed1-5159bea5a4a8\",\"date\":\"2020-01-22T07:31:54\"}}" } } } } Howerver I defined the value as "True" When I change the type to string instead of boolean the solution works.
