4

I am trying to establish a Service Connection from Azure DevOps to my Azure B2C tenant and am running into issues. I'm starting to think it's not even possible.

I have multiple Service Connections to the primary Azure Subscription/Tenant, but specifically wanted a connection to my B2C Tenant, so that I can manage B2C resources using Terraform and the Pipeline Agent within Azure DevOps.

Does anyone know if this is even possible? Or a method of getting this setup? No documentation online has been helpful

aseb
  • 274
  • 2
  • 11
  • Have you tried creating an Azure Resource Manager service connection that specifies the B2C tenant ID? The service connection configuration wizard in the UI has a "Tenant ID" field. The In the Azure Portal, the Overview blade for the B2C Tenant resource shows the tenant ID. – cdub Mar 22 '22 at 18:18
  • 2
    I sure did :), you get an error as the Azure Resource manager SC is tied to the subscription and the B2C tenant doesn't have a subscription. It's associated to a subscription, but it doesn't have its own sub. Failed to query service connection API: '/000-000-000-00-000? Status Code: 'Unauthorized', Response from server: '{"error":{"code":"InvalidAuthenticationTokenTenant","message": "The access token is from the wrong issuer 'https://sts.windows.net/aaaa-aaaaa-aaaa-aaaa-aaa/'. It must match the tenant t/bbbbb-bbbbb-bbbb-bbb-bbbbb/' associated w/subscription. (scrubbed to shorten) – aseb Mar 22 '22 at 18:28
  • @aseb did you have any luck meanwhile? Exact same issue here: I can not see a way to define a proper DevOps service connection to a B2C tenant that has no subscription. – spikey Jun 23 '22 at 10:00
  • @spikey, I ended up thinking its not possible. Sorry for the delayed response. I gave up on the effort. – aseb Jul 20 '22 at 20:25
  • definitely not the answer I was hoping to find, lol – Jake Boomgaarden Nov 03 '22 at 08:11

1 Answers1

0

Let me explain.

  1. If you want to create Azure AD B2C tenants from Azure DevOps and Terraform (or any other tool) you will not be able to do it with Service Connection. The reason is because to create an AAD B2C tenant, you must use Azure ARM API, not Graph API. The API endpoint only supports user authentication (user_impersonation permission). You can read more here. The only thing you can do is to create the user in your existing Azure AD (not the AD B2C one) connected with Azure subscription to which Azure AD B2C will be connected. Then you can use this user credentials in the Azure DevOps and Terraform to authenticate to Azure and then create Azure AD B2C tenant. Please remember that this user account cannot have MFA enabled as it will fail in the Azure DevOps pipeline.

  2. If you want to manage resources in the newly created Azure AD B2C tenant with Terraform, please note that not all resources are supported. You will not be able to create user flows or create custom user attributes. You cannot also delete the tenant as some manual steps are required (like removing existing users or deleting the existing applications). In this scenario you have to register Service Principal (SP) in the Azure AD B2C with all the required permissions and then you can authenticate with this SP credentials in the Azure DevOps pipeline.

Daniel Krzyczkowski
  • 2,732
  • 2
  • 20
  • 30