Azure AD B2C and on-premise Active Directory

3
votes

We have the following scenario:

  • an Angular app accessing a Web Api backend
  • our own user database

We are planning to use a third-party identity solution such as Azure AD B2C, AWS IAM or Auth0. To my surprise, I found that Auth0 has an integration with on-premise Active Directory, but Azure AD B2C seems not to support this (at least not that I could find out)

We want to get to the following scenario:

  • an Angular app accessing a Web Api backend
  • third-party identity solution that manages the users of the angular app (preferably Azure AD B2C)
  • users need to authenticate via the identity solution (e.g. using a social account)
  • some users are in an existing on-premise AD and also need to be able to access the angular app

So my problem basically is : if we would use Azure AD B2C, how can we let users that are defined in an on-premise AD, authenticate in our Angular app? Or with other words: can an on-premise AD be an identity provider for Azure B2C?

1
azureactive-directoryazure-ad-b2c

1 Answers

2
votes

This scenario can be solved with AD B2C custom policies.

I found that Auth0 has an integration with on-premise Active Directory, but Azure AD B2C seems not to support this (at least not that I could find out)

One way I know to make this work through ADFS. Where you can Integrate ADFS in B2C. I will update this answer if I know any other way of doing this.

Update Start

You can use Shibboleth and Okta servers apart ADFS server.

Update End

users need to authenticate via the identity solution (e.g. using a social account) some users are in an existing on-premise AD and also need to be able to access the angular app

If you use custom policies, you can achieve all of these scenarios. You can integrate both social accounts and AD via ADFS (On Premise ADFS server which give access to On Premise AD users)

if we would use Azure AD B2C, how can we let users that are defined in an on-premise AD, authenticate in our Angular app? Or with other words: can an on-premise AD be an identity provider for Azure B2C?

As I said this is possible through ADFS server. All you need to do is enable ADFS service on your server and add Relying Parties and make B2C consume and allow your AD users to login with B2C.

Warning: If at all your server not have ADFS enabled first try it on other test server.

ADFS in custom policies can found at: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp