Azure AD B2C authorization code and refresh token size increase update
Update September 11, 2023: This post is irrelevant anymore As part of ongoing security improvement efforts in Azure Active Directory (AAD), part of Microsoft Entra, Azure AD B2C will be rolling out a format change that increases the size of OAuth 2.0 (and OpenID Connect) authorization code and refresh tokens returned to your application. If your application is configured to accept the OAuth2 authorization code as query string parameter or URL fragment, this change might impact users in the following scenarios: Users with old web browsers such as internet explorer may exceed the URL length limit. If your application runs on web servers, behind firewalls or reverse proxies with low URL length limits or configuration. The OAuth2 (and OpenID Connect) protocol specifies three response modes which specify how the authorization code is returned to your application. With the query and fragment mode the authorization code is returned as a query parameter or fragment of the URL. In the form_post mode, response parameters will be encoded as HTML form values that are transmitted via the HTTP POST method and encoded in the body. For information, check out the OAuth 2.0 authorization code flow in Azure Active Directory B2C article. To mitigate URL lengths issues: For web applications, we recommend using OAuth2 response_mode set to form_post, to ensure the most secure transfer of tokens to your application. For single page application with authorization code flow and PKCE, reduce the number of claims omitted to your application. In the user flows, and custom policies remove claims that are unnecessary for your app. You can use the user info endpoint to return claims about the authenticated user. This will minimize the size of the authorization code and the refresh token. This change should not affect device-installed apps, such as mobile and desktop apps. The change also impacts the size of the refresh token. MSAL library caches a token after it has been acquired. For web applications with in-memory cache, or a distributed token cache, make sure your cache system can handle the size of the refresh token, or reduce the size of the refresh token as described in the previous section. Yoel
Azure AD B2C with Dynamics 365 (CRM) Contacts
Hello, I am trying to find a solution for the following scenario: We want to build an application were our costumers can logon agains Azure B2C. However the field validation (claims) has to be agains Dynamics 365 (CRM) contacts. I managed to setup a .NET application and authenticate with Azure AD B2C. but without any validation/claims. For example I want the following fields to be validated: Firstname Lastname Relationnumber (CRM) Those values has to come from the CRM contact fields and need to match the users input when singin up/in I am lost here and unable to find a solution for this. I already tried to export/import CRM contacts in Azure B2C and created custom attributes (relationnumber) and fill them, but that doesn’t seems to be the solution. Also PowerApps I tried to create a Flow, but didn’t help either. Also, if I am trying to setup the wrong way, please let me know. Thank you!
Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intended
My team is trying to implement an account lockout based on the number of login attempts. In Azure AD B2C > Authentication Methods > Password Protection we changed the lockout threshold to 3 and lockout duration in seconds to 180 (3 mins). Then we tried it using our custom policy for sign-in, ran the policy directly from the portal with https://jwt.ms as a reply url. Here are some of the issues we came across while testing, one is that the account is never locked out even after 10 tries. Yes we are fully aware of the smart lockout feature, so we used a strong password generator for testing. But still, the account is never locked out. Then we found a quick fix/workaround in https://stackoverflow.com/questions/65802966/azure-ad-b2c-custom-policy-not-returning-account-lockout-error-50053#comment116482527_65802966. After implementing the quick fix, the user's account is getting locked out after 3 tries. But this is not consistent, sometimes the account is locked out after 3 tries sometimes after 4 or 5. And also, after the account has locked out there are occurrences that we can still successfully login right after the error message shows up that the account is locked out . Our questions are, is there an existing issue on Azure's side that prevents the use of account lockout feature in Azure AD B2C custom policies? If not, are we missing something when were setting up / configuring account lockout in Azure AD B2c > Authentication Methods > Password Protection in the portal? Do we need to add / remove something in our custom policies? Or are there other solutions for implementing account lockout based on number of login attempts? If there are no fixes / workarounds based on the previously mentioned questions, can we instead implement the account lockout feature https://docs.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-custom-policy?Allowing an external org to access my application (registered in azure ad) with their credentials?
Hi all, I have created a single tenant application that works well for my organisation, however I need to add another organisation (external) to be able to use my application. The organisation that I want to add has an Azure AD. Hence my goal is to enable for people from the 2nd organisation to be able to sign into my app without needing to register. How am I suppose to go about this? I've looked into the "app registrations" page but have not seen such ability and I've looked online to find a solution to this problem to no avail. I'm aware I will need to change the application to "multi-tenant" and also change the urls from tenant specific to /common. However, I have no idea how to go about enabling a specific organisation to be able to access my application (while not allowing other orgs) and use my app after signing on using their microsoft org credentials without registration. I'm looking for suggestions on how I should go about this, or a resource I can use to do this as I'm a bit lost on how to do this - still a bit of a noobie with Azure AD. Appreciate any help! Thanks,
Group Based Assignment in Azure AD B2C
Hi, according to this comparison you can't use the groups from the underlying Azure AD tenant to manage access of customers to applications. Apparently you can't define app roles and then assign groups to applications and put customers into groups. https://learn.microsoft.com/en-us/azure/active-directory-b2c/supported-azure-ad-features However, I was able to do this. While the famililar "Application Roles" menu isn't available I can just define a role directly in the manifest. I was able to assign a group to an application with the role I defined in the manifest: POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='/:client_id/')/appRoleAssignedTo I was able to take an account that was created via a custom policy execution and put it into that group. While you can't easily configure the token as you would with regular Azure AD P2 and include the groups and roles, it was trivial to write an Azure Function that using the user object ID and client_ID derived the assigned roles and groups by overlapping the /memberOf groups of the user and the /appRoleAssignments of the servicePrincipal. It simply gets called in the custom policy and in case the customer is not assigned I send a custom OAuth 2.0 error (access_denied) instead of the claims with the groups and roles included. While it is a workaround obviously and I need to consider rate limits when my policy does Graph API calls via an Azure Functions on sign in, I think it should work out just fine for our scenario. Anything speaks against doing this or am I risking that this functionality gets removed as it's not intended to be possible? Role based access via groups is the best thing about Azure AD and it should be a feature in Azure AD B2C anyway if you ask me. Otherwise you're not able to handle lots of customer facing applications with different customer segments by different business units.Seamless Identity Integration: Azure API Management with Azure AD B2C (AADB2C)
Azure API Management (APIM) is a robust platform for managing and securing your APIs. In this blog post, we will guide you through integrating Azure API Management with Azure Active Directory B2C (AADB2C) for identity management. This integration enhances the security of your APIs by requiring user authentication before access is granted. We will break down the process into three key steps: setting up the Developer Portal to use AADB2C, configuring APIM to use OAuth 2.0 for authorization, and implementing token validation to ensure secure access.Cross-tenant synchronization (Private mode)
Cross-tenant synchronization enables you to automate provisioning identities across tenants in your organization and simplify collaboration within your organization. In addition, automate removing accounts when users don't need access and keep accounts synchronized across tenants. This feature will not appear on all tenants until Microsoft releases it as preview.
Azure B2C Custom Domain - Woodgrove demo site
Hi Parakh Jain, I was wondering how the https://woodgrovedemo.com/ demo site is using a custom domain for its Azure B2C user flows (login.woodgrovedemo.com). The current FAQ states that this currently not possible and the b2clogin.com must be used. Would you be able to elaborate on how the demo site is achieving this? Many thanks Bryan
