Menu

This blog post shows how to configure an environment where users can login to Azure Web application using B2B (business) accounts or B2C (consumer) accounts. Azure B2C is a separate product from Azure AD which enables to federate authentication to the social platforms (ext. Facebook, LinkedIn, Twitter, Google) using the Open ID Connection protocol. It's also important to know that O365 services are only available for B2B users.

If you're more interested about the differences between Azure AD B2B and B2C the I suggest that you read Microsoft document about it.

Big picture about the environment

ad1.png

Enviroment has a one Web application which is using Azure AD B2C as a IDP. This configuration makes possible to login that web application by using B2C or B2B account. Web application is not directly aware of Azure AD B2B because it's hidden behind the B2C.

Create Azure AD B2B Directory

First create a normal Azure Active Directory which is the main directory for the B2B users. You can find Azure Active Directory from the Azure Portal marketplace.

ad2.png

After clicking create you can determine the name for the directory.

ad3.png

In this environment all external B2B users are invited to this directory. Before that let's create also a Azure AD B2C service.

Create Azure AD B2C directory

After clicking create select "Create a new Azure AD B2C Tenant"

ad5.png

Next determine the name for the directory.

ad6.png

After creation go to the frontpage of the Azure AD B2C. First you have to linked B2C tenant to the active Azure subscription.

ad7.png

Link Azure AD B2C to active Azure subscription

Open Directory switcher and select directory which has Azure subscription and go to marketplace and search "Azure Active Directory B2C".

ad9.png

ad10.png

Click create and select "Link an existing Azure AD B2C Tenant to my Azure subscription"

ad11.png

Select just created Azure AD B2C tenant.

ad12.png

Now you can find the Azure B2C tenant from the Resource Group.

ad13.png

Next configure B2C identity providers and applications.

Configure identity providers for Azure AD B2C

Select B2C directory and go back to B2C frontpage

ad14.png

Select Identity Providers

ad15.png

Select Google

ad16.png

Follow this guide to configure Client in the Google Console portal.

Configure connection between Azure AD B2C and Azure AD B2B

This Azure AD B2B application is configured later as a Open Id Connection provider to the Azure AD B2C.

ad17.png

Select B2B Azure AD directory (cloudcompanyb2b)

ad18.png

Open App registrations

ad19.png

Select a new registration. Give the name for application and select account type.

ad20.png

Next copy the ApplicationId (=ClientId) to the notepad because we need it later.

ad21.png

Select authentication. Next we should configure the redirect URI where Azure B2B is redirect user back. This address should be point to the B2C authresp endpoint. The URI should be https://login.microsoftonline.com/te/[B2CTENANT].onmicrosoft.com/oauth2/authresp. Select also Access and ID tokens and then click Save.

ad22.png

Select certificates & secrets

ad23.png

Select new client secret

ad24.png

After creation client secret is revealed. Copy it to ex. Notepad.

Configure Azure AD B2B OIDC connection in Azure AD B2C

Go back to B2C directory (cloudcompanyb2c) and open identity providers. 

ad25.png

Click new OpenId Connect provider.

ad26.png

Metadata url = B2B OIDC metadata endpoint url https://login.microsoftonline.com/[B2BTENANT].onmicrosoft.com/.well-known/openid-configuration

After configuration the Identity Provider listing should look like this.

ad27.png

Configure Sample Web application

Next we configure the Sample Web application which is using a Azure AD B2C as a IDP. Go to Azure AD B2C configuration view and select Applications.

ad28.png

Click Add and give the name of the application. Reply URL should point to the OIDC endpoint of the application. First I'm testing a app in the localhost.

ad29.png

Click Keys section and then click generate key. After creation client secret is revealed. Copy it to ex. Notepad.

ad30.png

Configure Azure AD B2C user flows (policies)

Next user flows should be configured that Identity Provider selections will be visible in the login screen. Click user flows (policies).

ad31.png

New user flow

ad32.png

Select "Sign up and sign in". Give the name and select Google and Cloud Company B2B Identity Providers. Select also all user attributes and claims.

ad33.png

Invite Azure B2B user

Go to B2B AAD (cloudcompanyb2b)

ad34.png

Click New guest user and input email address. This is my MS Account address.

ad35.png

After invitation user is listed as a Guest user (Invited User).

ad36.png

Next email invitation arrives. Click the link in the email.

ad37.png

After invitation process user is listed a Guest (External Azure Active Directory)

ad38.png

Test authentication with Sample Web application

My sample web application code based on WebApp-OpenIdConnect-Dotnet example project. Example project can be find from here.

Sample application shows the following Identity Providers in the login screen. I want to test B2B login so I click "Cloud Company B2B".

ad39.png

Consent view appears.

ad40.png

After consent the following information is asked.

ad41.png

After clicking continue I'm redirected to the application. Example project shows all the claims from the About view.

undefined

Summary

Configuration requires a quite a many steps but it's pretty straightforward to do. This was my first test with Azure B2C and I'm very interested about it. Later I want to get more information about claims transformation. My next post will show how to configure Azure AD B2B and B2C as a external provider in the Identity Server.