Skip to content

Latest commit

 

History

History
266 lines (198 loc) · 17 KB

identity-provider-azure-ad-single-tenant.md

File metadata and controls

266 lines (198 loc) · 17 KB
title titleSuffix description author manager ms.service ms.topic ms.date ms.author ms.subservice ms.custom zone_pivot_groups
Set up sign-in for a Microsoft Entra organization
Azure AD B2C
Set up sign-in for a specific Microsoft Entra organization in Azure Active Directory B2C.
garrodonnell
CelesteDG
azure-active-directory
how-to
01/27/2025
godonnell
b2c
fasttrack-edit,
b2c-policy-type

Set up sign-in for a specific Microsoft Entra organization in Azure Active Directory B2C

This article shows you how to enable sign-in for users from a specific Microsoft Entra organization using a user flow in Azure AD B2C.

[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]

::: zone pivot="b2c-custom-policy"

[!INCLUDE active-directory-b2c-advanced-audience-warning]

::: zone-end

Prerequisites

[!INCLUDE active-directory-b2c-customization-prerequisites]

Verify the application's publisher domain

As of November 2020, new application registrations show up as unverified in the user consent prompt unless the application's publisher domain is verified and the company’s identity has been verified with the Microsoft Partner Network and associated with the application. (Learn more about this change.) Note that for Azure AD B2C user flows, the publisher’s domain appears only when using a Microsoft account or other Microsoft Entra tenant as the identity provider. To meet these new requirements, do the following:

  1. Verify your company identity using your Microsoft Partner Network (MPN) account. This process verifies information about your company and your company’s primary contact.
  2. Complete the publisher verification process to associate your MPN account with your app registration using one of the following options:

Register a Microsoft Entra app

To enable sign-in for users with a Microsoft Entra account from a specific Microsoft Entra organization, in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the Azure portal. For more information, see Register an application with the Microsoft identity platform.

  1. Sign in to the Azure portal.

  2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Microsoft Entra ID tenant from the Directories + subscriptions menu.

  3. In the Azure portal, search for and select Microsoft Entra ID.

  4. In the left menu, under Manage, select App registrations.

  5. Select + New registration.

  6. Enter a Name for your application. For example, Azure AD B2C App.

  7. Accept the default selection of Accounts in this organizational directory only (Default Directory only - Single tenant) for this application.

  8. For the Redirect URI, accept the value of Web, and enter the following URL in all lowercase letters, where your-B2C-tenant-name is replaced with the name of your Azure AD B2C tenant.

    https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp

    For example, https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp.

    If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant.

  9. Select Register. Record the Application (client) ID for use in a later step.

  10. Select Certificates & secrets, and then select New client secret.

  11. Enter a Description for the secret, select an expiration, and then select Add. Record the Value of the secret for use in a later step.

::: zone pivot="b2c-user-flow"

Configure Microsoft Entra ID as an identity provider

  1. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.

  2. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

  3. Select Identity providers, and then select New OpenID Connect provider.

  4. Enter a Name. For example, enter Contoso Microsoft Entra ID.

  5. For Metadata url, enter the following URL replacing {tenant} with the domain name of your Microsoft Entra tenant:

    https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

For example, https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration. If you use a custom domain, replace contoso.com with your custom domain in https://login.microsoftonline.com/contoso.com/v2.0/.well-known/openid-configuration.

  1. For Client ID, enter the application ID that you previously recorded.

  2. For Client secret, enter the client secret value that you previously recorded.

  3. For Scope, enter openid profile.

  4. Leave the default values for Response type, and Response mode.

  5. (Optional) For the Domain hint, enter contoso.com. For more information, see Set up direct sign-in using Azure Active Directory B2C.

  6. Under Identity provider claims mapping, select the following claims:

    • User ID: oid
    • Display name: name
    • Given name: given_name
    • Surname: family_name
    • Email: email

  7. Select Save.

Add Microsoft Entra identity provider to a user flow

At this point, the Microsoft Entra identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Microsoft Entra identity provider to a user flow:

  1. In your Azure AD B2C tenant, select User flows.
  2. Click the user flow that you want to add the Microsoft Entra identity provider.
  3. Under Settings, select Identity providers
  4. Under Custom identity providers, select Contoso Microsoft Entra ID.
  5. Select Save.
  6. To test your policy, select Run user flow.
  7. For Application, select a web application that you previously registered. The Reply URL should show https://jwt.ms.
  8. Select the Run user flow button.
  9. From the sign-up or sign-in page, select Contoso Microsoft Entra ID to sign in with Microsoft Entra Contoso account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

::: zone-end

::: zone pivot="b2c-custom-policy"

Create a policy key

You need to store the application key that you created in your Azure AD B2C tenant.

  1. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
  2. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  3. Under Policies, select Identity Experience Framework.
  4. Select Policy keys and then select Add.
  5. For Options, choose Manual.
  6. Enter a Name for the policy key. For example, ContosoAppSecret. The prefix B2C_1A_ is added automatically to the name of your key when it's created, so its reference in the XML in following section is to B2C_1A_ContosoAppSecret.
  7. In Secret, enter your client secret value that you recorded earlier.
  8. For Key usage, select Signature.
  9. Select Create.

Configure Microsoft Entra ID as an identity provider

To enable users to sign in using a Microsoft Entra account, you need to define Microsoft Entra ID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

You can define Microsoft Entra ID as a claims provider by adding Microsoft Entra ID to the ClaimsProvider element in the extension file of your policy.

  1. Open the TrustFrameworkExtensions.xml file.

  2. Find the ClaimsProviders element. If it does not exist, add it under the root element.

  3. Add a new ClaimsProvider as follows:

    <ClaimsProvider>
  <Domain>Contoso</Domain>
  <DisplayName>Login using Contoso</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="AADContoso-OpenIdConnect">
      <DisplayName>Contoso Employee</DisplayName>
      <Description>Login with your Contoso account</Description>
      <Protocol Name="OpenIdConnect"/>
      <Metadata>
        <Item Key="METADATA">https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration</Item>
        <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">openid profile</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_ContosoAppSecret"/>
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
        <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

  4. Under the ClaimsProvider element, update the value for Domain to a unique value that can be used to distinguish it from other identity providers. For example Contoso. You don't put a .com at the end of this domain setting.

  5. Under the ClaimsProvider element, update the value for DisplayName to a friendly name for the claims provider. This value is not currently used.

Update the technical profile

To get a token from the Microsoft Entra endpoint, you need to define the protocols that Azure AD B2C should use to communicate with Microsoft Entra ID. This is done inside the TechnicalProfile element of ClaimsProvider.

  1. Update the ID of the TechnicalProfile element. This ID is used to refer to this technical profile from other parts of the policy, for example AADContoso-OpenIdConnect.
  2. Update the value for DisplayName. This value will be displayed on the sign-in button on your sign-in screen.
  3. Update the value for Description.
  4. Microsoft Entra ID uses the OpenID Connect protocol, so make sure that the value for Protocol is OpenIdConnect.
  5. Set value of the METADATA to https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration, where tenant-name is your Microsoft Entra tenant name. For example, https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration
  6. Set client_id to the application ID from the application registration.
  7. Under CryptographicKeys, update the value of StorageReferenceId to the name of the policy key that you created earlier. For example, B2C_1A_ContosoAppSecret.

[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]

<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
  <ClaimsProviderSelections>
    ...
    <ClaimsProviderSelection TargetClaimsExchangeId="AzureADContosoExchange" />
  </ClaimsProviderSelections>
  ...
</OrchestrationStep>

<OrchestrationStep Order="2" Type="ClaimsExchange">
  ...
  <ClaimsExchanges>
    <ClaimsExchange Id="AzureADContosoExchange" TechnicalProfileReferenceId="AADContoso-OpenIdConnect" />
  </ClaimsExchanges>
</OrchestrationStep>

[!INCLUDE active-directory-b2c-configure-relying-party-policy]

Test your custom policy

  1. Select your relying party policy, for example B2C_1A_signup_signin.
  2. For Application, select a web application that you previously registered. The Reply URL should show https://jwt.ms.
  3. Select the Run now button.
  4. From the sign-up or sign-in page, select Contoso Employee to sign in with Microsoft Entra Contoso account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

::: zone-end

[Optional] Configuring optional claims

If you want to get the family_name and given_name claims from Microsoft Entra ID, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see How to provide optional claims to your Microsoft Entra app.

  1. Sign in to the Azure portal using your organizational Microsoft Entra tenant. Or if you're already signed in, make sure you're using the directory that contains your organizational Microsoft Entra tenant (for example, Contoso):
    1. Select the Directories + subscriptions icon in the portal toolbar.
    2. On the Portal settings | Directories + subscriptions page, find your Microsoft Entra directory in the Directory name list, and then select Switch.
  2. In the Azure portal, search for and select Microsoft Entra ID.
  3. In the left menu, under Manage, select App registrations.
  4. Select the application you want to configure optional claims for in the list, such as Azure AD B2C App.
  5. From the Manage section, select Token configuration.
  6. Select Add optional claim.
  7. For the Token type, select ID.
  8. Select the optional claims to add, family_name and given_name.
  9. Select Add. If Turn on the Microsoft Graph profile permission (required for claims to appear in token) appears, enable it, and then select Add again.

[Optional] Verify your app authenticity

Publisher verification helps your users understand the authenticity of the app you registered. A verified app means that the publisher of the app has verified their identity using their Microsoft Partner Network (MPN). Learn how to mark your app as publisher verified.

Next steps

Learn how to pass the Microsoft Entra token to your application.