Secure API with Azure AD/B2C users

5
votes

My use case is:

  • Create users via API with custom fields, nominated password using any email address
  • Update/disable those users via API
  • 'Sign in' to Azure AD app with user details via rest API to obtain token
  • Make authorised requests to Web API when token passed in Http header

Can all of this be achieved with straight Azure AD/B2C or should I be looking at some other identity provider e.g. IdentityServer/Auth0?

Edit 1

I'm getting very confused between AAD apps/users and B2C apps/users, there is very little guidance on what to use in this case.

Using https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet as a starting point I get the following results when plugging in the client id and secret from:

  • Azure AD - Application Type Web app/ Api - works, can create user
  • Azure AD - Application Type Native - does not work, cannot create user
  • Azure B2C - Application created in Powershell as per link - works, can create user, however I can't see the newly created application in the Azure Portal, and can't make changes.
  • Azure B2C - Application created in B2C UI - does not work, request to Graph Api fails with 'insufficient permissions'. I added the read/write permissions manually in Powershell but this did not work.

At this point I don't know what is the correct approach for my scenario.

1
asp.net-web-apiazure-active-directoryidentityserver3auth0azure-ad-b2c

1 Answers

1
votes

If you want to add local accounts in Azure AD B2C , you could use Azure AD Graph API to achieve that , to add a local account user to an Azure Active Directory B2C tenant, see Create a user (local account) api document .

If you want to add social accounts such as Facebook and Google , you need to check whether these identity provides provide the REST APIs to manage their users.

Edit

For connecting to the Graph API, currently you need to setup another app in Azure AD(not in azure ad b2c blade) :

enter image description here In that app you could set app key and grant permissions to use the Azure AD Graph API .Another way is using powershell service principal and attach the 3 Graph API permissions:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

After user sign in the B2C app , when calling the graph api , you could use ADAL v2 or v3 in order to get access tokens which can be used with the Azure AD Graph API(using client credential flow). Please refer to code sample in above link .

If you want to restrict uses who can create users with Graph api , you could write your own logic in app to control that .

Update :

B2C app(which create in b2c blade) could help you sign-in and sign-up users , but B2C app can't access the APIs currently(in preview , but can't select any api in my portal) , so you need to use a AD app(in azure ad blade) , which could grant permission to access other APIs like Microsoft Graph API. When follow link :https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ,in article he creates a ServicePrincipal not a app , so you couldn't find the app , Please click here for more details about Application and service principal objects in Azure Active Directory