Azure functions secured with Azure AD B2C returns unauthorized when using B2C tenant domain

Question

Given an azure function secured via AAD B2C with https://login.microsoftonline.com/tfp/MyTenantName.onmicrosoft.com/signinsingunp as issuer url, I can successfully authenticate a b2c user via msal.js app, where as if I try to update issuer url to my b2ctenant domain login url (because of this advise redirect URLs to b2clogin.com) and update authority in msal.js app to match domain(myapp.b2clogin.com/tfp/MyTenantName.onmicrosoft.com/signinsingunp), I am receiving 401 for same azure function, any advise will be appreciated.

Below are detailed setup details,

Azure AD B2C Tenant
- Domain Name: MyTenantName.onmicrosoft.com
  - Applications:
    - ApplicationA-Api
      - WebApp/API : Yes
      - Allow Implicit Flow : Yes
      - Reply Url : https://myazurefunsapi.azurewebsites.net/.auth/login/aad/callback
      - App ID : https://MyTenantName.onmicrosoft.com/ApplicationA-Api
      - Published Scopes : read, user_impersonation
      - API Access : Access User Profile
    - ApplicationB-Portal
      - WebApp/API : Yes
      - Allow Implicit Flow : Yes
      - Reply Url : https://myportal.domain.com
      - App ID : https://MyTenantName.onmicrosoft.com/ApplicationB-Portal
      - Published Scopes : user_impersonation
      - API Access : ApplicationA-Api (read, access this app on behalf of signed in user), Access User Profile (offline_access, openid)
  - User Flows
    - SignupSignIn
      - Application : ApplicationA-Api
      - Reply Url : https://myazurefunsapi.azurewebsites.net/.auth/login/aad/callback
      - Select Domain :
        MyTenantName.b2clogin.com
        
        login.microsoftonline.com
Azure Functions
- Authentication/Authorization
  - App Service Authentication : On
  - Action to take when not authenticated : Login with Azure AD
  - Authentication providers :
    - Azure AAD :
    - Management Mode : Advanced
    - client id : B2C-ApplicationA-ApplicationID
    - issuer url : login.microsoftonline.com/......./opendid......
Static Website
- b2c integration done by msal.js (v0.2.4)
- clientID : B2C-ApplicationB-ApplicationID
- authority : https://login.microsoftonline.com/tfp/b2ctenantname.onmicrosoft.com/signinsingunp
- b2cscopes : ApplicationA-Api-read

Thanks in advance!

@MdFaridUddinKiron : Sorry, I can't understand your question. Can you pls elaborate. — ManiVI
Sure,I asked you what kind of user email you have used there as there are personal and work email and its mattered in b2c account. — Md Farid Uddin Kiron
as a test user, its an personal gmail account. At the moment in azure b2c tenant user flow policies > mysignupsignin-identity providers > Local Account Email sign up is enabled. — ManiVI
official sample outlines how to setup/consume msal.js For some reason, the changes/updates are not immediate, it took me ~6-8 hours to work correctly ! — ManiVI

Charlie.H Charlie.H · Accepted Answer · 2019-05-21T19:03:57

I've finally found a solution to this...

It took a lot of scouring but it's down to this issue raised on GitHub

Essentially, I changed the authority when setting up my UserAgentApplication to use the new b2clogin.com domain that someone else mentioned. Although this didn't work immediately, I received the same error you mentioned in the comments, so I had to set validateAuthority: false on my config.

I've included an example below on how I've set mine up. My ClientID is the same in Azure as it is in MSAL.js

var msalConfig = {
      auth: {
        clientId: "xxxx",
        authority: "https://xxxx.b2clogin.com/tfp/xxxx.onmicrosoft.com/B2C_xxxx", 
        webApi: 'https://xxxx.azurewebsites.net',
        b2cScopes: this.appConfig.b2cScopes,
        validateAuthority: false
      },
      cache: {
        cacheLocation: "localStorage",
        storeAuthStateInCookie: true
      }
    };
this.clientApplication = new Msal.UserAgentApplication(msalConfig);

Hope this helps!

Azure functions secured with Azure AD B2C returns unauthorized when using B2C tenant domain

2 Answers