Does Azure B2C Require Multi-tenant to access AAD Directory Resources

0
votes

I'm building a SPA web app and API on MS Azure. The application needs to authenticate users that aren't part of the organization's Azure AD Directory (and shouldn't be). We are using a B2C directory (tied to the same subscription) for this with local users.

We need to store a file in Azure Blob Storage. We set up the container in the organization's AD Tenant. I want the SPA application to retrieve the file directly from Blob Storage. I tried exposing the Blob Storage permissions in the app registrations which are in the B2C Directory, but it won't allow exposing the permission because the Directory doesn't have a subscription (I did register the B2C Tenant with the organization's subscription).

So my question is - do I need to set this up as a multi-tenant situation between the organization's Directory and the B2C Directory? So setup an app registration in the organization's directory, make it multi-tenant, and expose the needed Blob Storage permissions? Or is there a better way to do this?

1
azureazure-active-directorymulti-tenant
Do you have any other concerns?Jim Xu

1 Answers

0
votes

As far as I knew, the Azure AD B2C local user account cannot be used to do Azure AD auth then access Azure blob. Because the email address that you use to create account using your 'Sign in / Sign up' user policy is just as “SignInName”. We just can use it to finish Azure AD B2C Authentication. To finish Azure AD Authentication, we need to use "userPrincipalName". But your users cannot get it by themselves. Meanwhile, for security reasons, Microsoft does not recommend customers provide “userPrincipalName” for their users.

enter image description here

So if you want to access azure blob in your application, I suggest you can create a SAS token for the blob or the container which you want to access. For more deatils, please refer to the document.