Azure AD and Azure B2c

1
votes

We have a front-end web application hosted on Azure which is registered in an Azure AD tenant. We also have back-end web applications which are exposed APIs through api gateway to be consumed by the front-end app.

Using the FE application we are calling APIs to add users to the system (the back-end uses Microsoft Graph APIs). That means the user is added to Azure AD and we are storing the oid from AD and other details to a SQL DB for further business use case. All these users are in Azure AD (no external).

Now we have to invite the external users with Social Identities (for example: Google, Facebook) to the application we have federate and use graph api to invite users. We also want to have user self signup/signings. The decision is to move to B2C AD (application may or may not stay the same). Initially we thought that all existing subscription and services created in Azure AD can be move to B2C tenant, but I found that it may not be possible.

Now I am confused:

  • do we have to use both Azure AD and Azure AD B2C?
  • If we have to maintain both how we have to manage users in both ADs?
  • In which AD should i register the FE app?
  • How does it work?
1
azure-active-directoryazure-ad-b2c
You may or may not need to use both regular AAD and AAD B2C. What kinds of users do you already have in AAD? Are they employees? Are you now going to invite external users? Are those "b2c" users or just other business? Answers to these questions will inform the decision on what tenants to use.Omer Iqbal

1 Answers

1
votes

You have 3 major components from your description.

  1. Web API
  2. Web App
  3. Users

If I am not wrong you are managing these 3 from Azure AD tenant. Now planning to AD B2C.

do we have to use both Azure AD and Azure AD B2C?

Yes, you need to use both tenants. AD tenant to host Web API and Web App. AD B2C tenant to manage Users

If we have to maintain both how we have to manage users in both ADs?

It is good if you move all the users to AD B2C and you can easily manage them through Graph API requests and Social Users too.

If that is not possible, B2C IEF supports custom policies where you can integrate Azure AD tenant as IDP in B2C. You can allow existing users still login with their AD credentials (Or you can migrate those users to B2C, it is also possible) and Social users join directly in B2C tenant.

In which AD should i register the FE app?

You should register in AD Tenant but inside that FE app you need to use B2C to manage users with Graph API.

How does it work?

Where ever is your Web App & Web API (either in Azure AD tenant or in AWS or in Google Cloud or in any private cloud) you need to integrate B2C inside those applications. Once you integrate B2C it will continue work against Azure AD B2C Tenant.

Your Next Steps:

  1. Integrating B2C in Web APP & Web API
  2. Inviting Users [Inviting Users in B2C]