Configure external Azure AD in Azure B2C tenant

0
votes

We have developed a client application which delegates user authentication to Azure AD and authentication happens via Azure AD graph apis with grant type as password. Client application can be accessed by internal users (employees) and external users (brokers). We have provisioned an internal Azure AD to manage internal users (employees) and Azure B2C tenant to manage external users (brokers) to keep user information in separate ADs.

Now, we want to configure the internal Azure AD inside Azure B2C tenant, so that the client application can authenticate both the types of users via Azure graph apis and using Azure B2C tenant id and client id in password grant type. Also perform AD related operations on users.

What is the right way to combine internal auth along with B2C auth for the same Azure web app?

1
azureazure-ad-b2cazure-ad-graph-api

1 Answers

1
votes

Firstly, Azure AD B2C doesn't have any direct support for the Resource Owner Password Credentials flow.

The only option for now is to redirect users from your web app to the Azure AD B2C authorization endpoint for sign-in.

However, work to support for this flow in Azure AD B2C is in-progress.

Secondly, if you configure the Azure AD tenant as an identity provider for the Azure AD B2C tenant, i.e. "configure the internal Azure AD inside Azure B2C tenant", then your web app won't be issued by the Azure AD B2C tenant with any Azure AD tokens that are required to invoke operations on the Azure AD users.

If this is required, then I suggest you federate your web app with both the Azure AD and Azure AD B2C tenants -- rather than with only the Azure AD B2C tenant and, through it, with the Azure AD tenant -- so your web app is issued by the respective tenants with tokens that can be used to invoke operations on either the Azure AD and Azure AD B2C users.