1

I am creating a new Azure AD B2C authenticated site to replace an older Forms Authenticated one. In the new site, I am asking the user to initially enter their email address so I can check if they exist in Azure B2C and send them to the appropriate sign-in page and if not send them to the older Forms Authenticated site.

The issue is I have when following Microsoft's tutorials, is that they show user management but they all require you to have logged in with your Azure account first and obviously this is not possible given the system I am trying to build. Is what I am doing even possible?

Thanks in advance!

MS tutorials: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-code-samples/

Bren Gunning
  • 390
  • 2
  • 4
  • 18

2 Answers2

1

Sadly, it seems like this is not possible within the Azure B2C Preview.

From the limitations section (https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/) there is this paragraph which describes what I am trying to do:

Daemons / Server Side Applications

Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.

So it seems like this is currently not possible. Hopefully it'll work once it comes out of preview.

Bren Gunning
  • 390
  • 2
  • 4
  • 18
  • But you have users signing in to your site, so that's not a daemon application. – Erik Oppedijk Feb 09 '16 at 08:31
  • But I can only access the information about the currently signed in Forms Authenticated user. At this point I need to query the B2C users which this user can't do. – Bren Gunning Mar 22 '16 at 13:45
0

Be careful with this, check if your site is not vulnerable to username enumeration: http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html

With the old users going to forms based authentication, you could call the Graph API to create the users in the B2C directory: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

Then the next time they can login through B2C

Erik Oppedijk
  • 3,496
  • 4
  • 31
  • 42
  • Hi, thanks for this.What you have described is what I am trying to do - essentially migrate the users as they are logging in (rather than in bulk). The issue is if I look at https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/#user-crud-with-the-graph-api this doesn't work as it tells me it's using the wrong API. There doesn't seem to be a working example of this in that page. – Bren Gunning Feb 08 '16 at 10:44
  • 1
    You need to register your web app as a consumer of the Graph API first – Paul Hatcher Feb 13 '16 at 14:55
  • I did faced problem accessing the graph api first time, things got resolved after few alternate steps. this link may help. http://stackoverflow.com/questions/36151730/error-connect-msolservice-your-credentials-could-not-be-authenticated-try-a – Sivalingaamorthy Mar 29 '16 at 16:29