What goes in the Authority field for API Management Identity Provider

5
votes

Problem

I'm in the process of building out an API using Azure API Management Service. I've created an Azure AD B2C tenant by which I'd which to authorize calls to said API.

I was able to setup the tenant successfully; however, I'm running into an issue when attempting to add an Identity Provider of type Azure Active Directory B2C.

I'm following this walkthrough from 2017: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c

The problem is that something has changed in the actual creation wizard that is not covered in the Azure documentation. There is an additional field that is required: Authority; what goes there?

What I've Tried

So far, I've searched the web and the only thing that I could find were ASP.NET applications referencing the following schema for an Authority:

https://login.microsoftonline.com/tfp/{tenant}/B2C_1_{signup_policy}

I attempted this (filling in the missing values unique to my tenant and sign-up policy) and I get the error: "One or more fields contain incorrect values: Azure Active Directory B2C authority is not valid."

Can someone tell me what should go there or at least point me in the direction of the updated Azure documentation that does? Again, the linked documentation above is from 2017 and doesn't mention an Authorize field.

1
azureazure-active-directoryazure-ad-b2cazure-api-management
Authority should look like this: https://{tenantName}.b2clogin.com/tfp/{tenantName}.onmicrosoft.com/B2C_1_{signup_policy}/v2.0/ or https://login.microsoftonline.com/tfp/{tenantName}.onmicrosoft.com/B2C_1_{signup_policy}/v2.0/Thomas
{tenantName}.onmicrosoft.com can also be replace by the tenant idThomas
Have you for sure tried this format specifically on the Add Identity Provider portion of the API Management Service for a B2C Type? I tried both of the formats that you suggested (of course plugging in the tenant name) and I still get the error. Let's say for example my B2C tenant is contosob2c.onmicrosoft.com, I tried plugging contosob2c into the place holders that you have above for the {tenantName}. No joy; still get the error saying the Authority is invalid.Brandon Avant
No sorry I haven't triedThomas
No worries. Yeah, it seems like I'm supposed to use some variation of what you shared with me, but the things that I tried are failing. I wish Microsoft would update their documentation.Brandon Avant

1 Answers

4
votes

Authority field is there to control authority of your login URL. For Azure B2C login URL used to start with https://.onmicrosoft.com, recently they've introduced a new primary authority: https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin.

This field let's you customize which one you want to use. It should prefil to {tenant}.b2clogin.com, but that seems to be broken. Will be fixed shortly.

Update: I updated your example above the < > characters weren't rendering, so I switched to { }.