Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD B2C’ Category

(2019-10-04) Azure AD B2C – Setup The Identity Experience Framework

Posted by Jorge on 2019-10-04


This post is a cross-post of a series of posts about Azure AD B2C. This post has been published here with permission from Wim van den Heijkant, a member of the Fortigi team. All credits, kudos, whatever go to the original writers of this post.

Original location of this post/article: Setup the Identity Experience Framework

image

Figure 1: JSON Sample With Environment Specific Information

Azure AD Business to Consumer is a very flexible and powerful identity platform. It allows you to completely control the user experience for your customer and partner facing applications. See About Azure AD B2C for more info.

Over the last year and a half or so we have implemented Azure AD B2C for a number of customers. Over the next couple of days / weeks I will be posting a number of blogs with some of the tips and tricks we learned along the way. I will also be sharing some example scripts, policies and PowerShell modules we have developed.

This blog is part of series on setting up Azure AD B2C Automated deployments. It explains how to setup the Identity Experience Framework. Also see; Creating A New Azure AD B2C Tenant.

Azure AD B2C has a component called the "Identity Experience Framework". This is what makes Azure AD B2C such an incredibly powerful platform. It allows you to fully customize the user flows for sign-in, sign-up, etc..

Identity Experience framework Policies are defined in XML format. There are a lot of examples on GitHub. In any serious environment you are going to want to deploy these policies as part of your DevOps process and release the policies using some form of automation. I like Azure DevOps but you could use Confluence, or any other platform of your choice, or just do the upload from the command line.

Having an automated deployment process for your policies allows you to keep a single version of your policies in a repo (like for example GitHub) and have your environment specific configuration in a separate JSON.

The JSON we use contains the following environment specific variables;

{

      "DEV": {

               "B2C_TENANT": "FortigiB2CDemo.onmicrosoft.com",

               "B2C_TOKEN_SIGNINGKEYCONTAINER": "TokenSigningKeyContainer",

               "B2C_TOKEN_ENCRYPTIONKEYCONTAINER": "TokenEncryptionKeyContainer",

               "B2C_TENANTID": "9eee23e3-5c63-4777-8b56-c91cbf665cae",

               "B2C_IEF_APPLICATIONID": "232f8e66-38d9-418c-a6e0-f676d23582a5",

               "B2C_IEF_PROXY_APPLICATIONID": "24109baf-ab87-493e-9a7c-fffe87d77014",

      },

      "TST": {…..}

}

In this blog post we will explain how to setup the Identity Experience Framework and gather all the required information to fill your JSON with the required environment specific variables. In the next post I will then explain how you can use this JSON to automatically deploy Azure AD B2C policies.

Prerequisites

You need to have an Azure AD B2C tenant setup. See my previous post Creating A New Azure AD B2C Tenant on how to do that. If you have a Azure AD B2C tenant you will be able to get the first variable of the JSON filled in;

image

Figure 2: JSON With Environment Specific Information – Retrieving The Domain Name Of The AAD B2C Tenant

"B2C_TENANT": "FortigiB2CDemo.onmicrosoft.com",

Step 1; Setup the Identity Experience Framework (IEF)

Microsoft explains how to setup the IEF here. I have "borrowed" most of my instructions from there, however I have added a couple of screenshots and remarks where I feel that helps explain things.

Add signing and encryption keys

  1. Sign in to the Azure portal
  2. Use the Directory + subscription filter in the top menu to select the directory that contains your Azure AD B2C tenant.
  3. In the left menu, select Azure AD B2C. Or, select All services and search for and select Azure AD B2C.
  4. On the Overview page, select Identity Experience Framework.

image

Figure 3: The Identity Experience Framework

Create the signing key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Signature.
  6. Select Create.

image

Figure 4: JSON With Environment Specific Information – Creating The Signing Key (Container) For The AAD B2C Tenant

If you stick with the default name, then you have the value for you second JSON variable;

"B2C_TOKEN_SIGNINGKEYCONTAINER": "TokenSigningKeyContainer",

Create the encryption key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Encryption.
  6. Select Create.

image

Figure 5: JSON With Environment Specific Information – Creating The Encryption Key (Container) For The AAD B2C Tenant

If you stick with the default name, then you have the value for you third JSON variable;

"B2C_TOKEN_ENCRYPTIONKEYCONTAINER": "TokenEncryptionKeyContainer",

Switch to the regular Azure AD console

  1. Select All services in the top-left corner of the Azure portal.
  2. In the search box, enter Azure Active Directory.
  3. Select Azure Active Directory in the search results.

Most people I have tried to explain this to, find the next part hard to understand. The Azure AD B2C instance that you have created is both an Azure AD B2C as well as a regular Azure AD… it’s sort of backwards compatible. This means you can access your directory both using the Azure AD B2C interface. Where you can configure the B2C related things.. As well as through the regular Azure AD interface. Not all features that are available in the Azure AD are exposed in the Azure AD B2C interface. We therefore need to switch between consoles every now and then.

Now that you are on the regular console first, quickly get the TenantID, you need that in the JSON as well, you will find it under properties;

image

Figure 6: JSON With Environment Specific Information – Retrieving The Tenant ID Of The AAD B2C Tenant

Add the directory ID to the JSON;

"B2C_TENANTID": "9eee23e3-5c63-4777-8b56-c91cbf665cae",

Register the Identity Experience Framework applications

To create the apps (or actually.. I like the term service principal better.. that makes way more sense to me..) we need to go to the regular Azure AD console.

Azure AD B2C requires you to register two applications that are used to sign up and sign in users: IdentityExperienceFramework (a web app), and ProxyIdentityExperienceFramework (a native app) with delegated permission from the IdentityExperienceFramework app. Local accounts only exist in your tenant. Your users sign up with a unique email address/password combination to access your tenant-registered applications.

Basically, without these two Apps, you will not be able to use the local account option in the IEF policies. These apps are required to allow the IEF framework to access the directory. The IEF framework is (behind the scenes) a separate service, which needs permissions. Like the Microsoft Pages explain;

  1. Select All services in the top-left corner of the Azure portal.
  2. In the search box, enter Azure Active Directory.
  3. Select Azure Active Directory in the search results.
  4. Under Manage in the left-hand menu, select App registrations (Legacy).
  5. Select New application registration.
  6. For Name, enter IdentityExperienceFramework.
  7. For Application type, choose Web app/API.
  8. For Sign-on URL, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com, where your-tenant-name is your Azure AD B2C tenant domain name. All URLs should now be using b2clogin.com.
  9. Select Create. After it’s created, copy the application ID and save it to use later.

image

Figure 7: JSON With Environment Specific Information – Registering The Identity Experience Framework Application

We used; https://fortigib2cdemo.b2clogin.com/fortigib2cdemo.onmicrosoft.com as the sign-on URL for the tenant we created earlier.

The application ID needs to be added to the JSON;

"B2C_IEF_APPLICATIONID": "56946d8a-8920-462b-91a3-58f715caea58",

Register the ProxyIdentityExperienceFramework application

  1. In App registrations (Legacy), select New application registration.
  2. For Name, enter ProxyIdentityExperienceFramework.
  3. For Application type, choose Native.
  4. For Redirect URI, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com, where your-tenant-name is your Azure AD B2C tenant.
  5. Select Create. After it’s created, copy the application ID and save it to use later.

image

Figure 8: JSON With Environment Specific Information – Registering The Proxy Identity Experience Framework Application

The application ID needs to be added to the JSON;

"B2C_IEF_PROXY_APPLICATIONID": "b41323fa-da14-430a-bcd5-f6580f81b1b5"

  1. Select Settings, then select Required permissions, and then select Add.
  2. Choose Select an API, search for and select IdentityExperienceFramework, and then click Select.
  3. Select the check box next to Access IdentityExperienceFramework, click Select, and then click Done.
  4. Select Grant permissions, and then confirm by selecting Yes.

image

Figure 9: Configuring Permissions For The Proxy Identity Experience Framework Application

Thanks to Taeke Kooiker for reviewing this article.

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD B2C, Windows Azure Active Directory | Leave a Comment »

(2019-10-02) Azure AD B2C – Creating A New Azure AD B2C Tenant

Posted by Jorge on 2019-10-02


This post is a cross-post of a series of posts about Azure AD B2C. This post has been published here with permission from Wim van den Heijkant, a member of the Fortigi team. All credits, kudos, whatever go to the original writers of this post.

Original location of this post/article: Creating a new Azure AD B2C tenant

image

Figure 1: Azure AD B2C Highlights

Azure AD Business to Consumer is a very flexible and powerful identity platform. It allows you to completely control the user experience for your customer and partner facing applications. See About Azure AD B2C for more info.

Over the last year and a half or so we have implemented Azure AD B2C for a number of customers. Over the next couple of days / weeks I will be posting a number of blogs with some of the tips and tricks we learned along the way. I will also be sharing some example scripts, policies and Powershell modules we have developed.

In this first post we explain the process of creating a new Azure AD B2C tenant within your existing Azure environment, adding other admins etc.

Start by logging in to your Azure Subscription and create a new Resource Group:

image

Figure 2: Creating A Resource Group For The AAD B2C Tenant

Add a new Azure AD B2C tenant, by clicking add new resource and searching for B2C;

image

Figure 3: Looking For The AAD B2C Resource In The Marketplace

After clicking create you will get 2 options;

image

Figure 4: Choosing Between New Or Linking Existing AAD B2C Tenant

The first step is to create a new Azure AD B2C tenant, after that you can link the tenant to your Azure Subscription so it becomes visible in your resource group. The first step is to create, then we will link. Click Create new Azure AD B2C Tenant;

image

Figure 5: Providing The Basic Details For The AAD B2C

This will take a minute. When it’s done you will get;

image

Figure 6: Confirmation After The AAD B2C Tenant Has Been Created

You can click here in the message, but we still need to link it to our subscription, so let’s do that first. Close the Create new tenant screen, and go back to the Create or link screen. When we click link an existing Azure AD B2C Tenant to my Azure subscription, we get;

image

Figure 7: Linking An Existing AAD B2C Tenant To A Subscription

It now shows up in the drop down list. After clicking create it will show up in your resource group;

image

Figure 8: The AAD B2C Tenant Listed Within The Assigned Subscription

Open the resource and you will see;

image

Figure 9: An Overview Of The AAD B2C Tenant

Click Azure AD B2C settings and you will be redirected to the Azure AD B2C setting page;

image

Figure 10: The AAD B2C Settings Page

Notice that you are actually directed to a completely new Azure Tenant. This is due to the fact that Azure AD B2C is also a directory, which now only contains a single user. The user you used to create the tenant;

image

Figure 11: The Default AAD B2C Tenant Admin, The Account That Created The AAD B2C Tenant

Also when we look for "our other Azure resources" there is nothing there;

image

Figure 12: Additional Resources Page For The AAD B2C Tenant

To switch back to your default Azure Tenant, use the directory selector in the top;

image

Figure 13: Selecting Another Directory

I have access to a rather large number of B2C tenants so I will see a lot of them. But you will most probably only see 2. The new B2C tenant and your original Azure tenant;

image

Figure 14: The List Of Available AAD Directories The Account Has Access To

You have now created an Azure AD B2C tenant that you can start to use. You can create new Azure AD B2C users or invite your colleagues (which live in the "normal" Azure AD) by going to users, and selecting "new guest user". They will receive an invite link. All this works very similar to how the normal Azure AD works. Adding at least one other colleague would be my recommendation.This will prevent you from not being able to access the directory when your credentials are accidentally lost.

image

Figure 15: Creating A New Account Within The AAD B2C Tenant

Also note, that if you are adding a colleague that doesn’t have an e-mail address to match his account name, for example if you are inviting a non-personal or service account the invitation e-mail will not reach the user. To work around this issue, open the user you just invited and click the resend invitation button; once you click it.. it will allow you to copy the invitation URL… open this URL while logged in as the account you want to give access.. And your invitation will be redeemed. Basically creating a "foreign security principal" in the B2C directory.

image

Figure 16: The Settings Page Of A User Account Within The AAD B2C Tenant

Special thanks to my colleague Taeke Kooiker for his reviews and help with this article

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD B2C, Windows Azure Active Directory | 1 Comment »

 
%d bloggers like this: