0

We are using Azure AD B2C to authenticate users for a web/mobile application, we use a user flow to sign up users:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview

(or we create users programmatically with MS Graph)

What is best way to give uesrs permissions to different web apps? And then also for a user to see a list of the apps s/he has access to?

Primarily they will be web applications (app service) registered in Azure so we could possibly add users to the enterprise application (from the app registration, click on : enter image description here

thanks

dan
  • 801
  • 15
  • 41

1 Answers1

0

Unfortunately, User assignment required? feature is only available in normal AAD. it doesn't apply to Azure B2C.

Since you are using user flow, it's recommended to use custom attribute to control the access of the user for different applications. For example, create a custom attribute named AADRole. Assign a value(which means its role access to certain apps)to different users and then get the claim from id token after B2C users sign in. If the claim is

Refer to this answer for more details.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • @dan App role should also apply to the current situation based on your description. I'm sorry I missed it. I didn't try app role in B2C before. You should look into service principal to return enterprise application: https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0 – Allen Wu Mar 24 '21 at 02:00
  • comment I deleted before Allen's reply: Hi Allen thank you for the answer, but I am able to use appRoleAssignments (https://learn.microsoft.com/en-us/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=csharp) to see the enterprise application / service principle associated with the app registration the user is added to. How is custom attributes different/better? where can enterprise applications be found in graph? – dan Mar 24 '21 at 02:08
  • OK thanks. so you think that users in enterprise applications via service principals is better way than custom attributes? each application would have to check w/ ms graph to make sure user has an appRoleAssignment for that application? – dan Mar 24 '21 at 02:12
  • @dan OK I got it. I think both approle and custom attribute is OK. But your method needs to call Microsoft Graph. Custom attribute can be returned from the token claims. It depends on your choice. From a logical point of view, it seems safer to get the token for verification than to call Microsoft Graph to verify. Because we will not allow users to do more than login verification (such as calling Microsoft API). – Allen Wu Mar 24 '21 at 02:15
  • OK thanks. Actually, I think we will be creating users ourselves w/ ms graph and not let users sign up themselves with a user flow, do you think this would make it ok/better to use app role assignment w/ service principal? thank you for your replies and help. – dan Mar 24 '21 at 02:23
  • if we wanted to manage which roles/groups user had in each app from b2c and not within each individually application, if we wanted to use the enterprise application I think only possible with Active Directory Premium P2. So if we wanted to mange roles for each user's apps, probably better with custom attributes. how would you suggest we do this? make a custom attribute for each app (AppRole1) and set the specific role in that attr for each user? – dan Mar 24 '21 at 02:28
  • @dan If so, I think it's safer. You can call Microsoft Graph to before the user sign in to determine the enterprise app to which the user belongs, only the authorized apps are displayed to the user for them to log in. – Allen Wu Mar 24 '21 at 02:29
  • @dan Yes. You just need to create a custom attr (for example, named `apps`). Set the value for each user. Get the `custom_apps` claim for the token after the user sign in to see which apps the user has access to. – Allen Wu Mar 24 '21 at 02:35
  • Hi @Allen, OK thank you we will investigate. – dan Mar 24 '21 at 15:27
  • @dan My pleasure:) If my answer is helpful for you, you can accept it as answer. Thank you. – Allen Wu Mar 25 '21 at 02:38
  • I am using the newer AddMicrosoftIdentityWebAppAuthenticationto use AD B2C - do you know what is the event that comes back that I can check their custom attribute and/or make ms graph query to check their enterprise applications registration? thank you – dan Apr 10 '21 at 05:39
  • @dan Not sure about the event. For ms graph query to check their enterprise applications registration, can you provide more details? Checking whose enterprise applications registration? – Allen Wu Apr 12 '21 at 01:57