A Complete Integration – Azure AD B2C & Azure AD (Graph API, Logic Apps)

Login with Facebook, Twitter, LinkedIn or Azure AD? ” A guide outlining how to integrate Azure AD with B2C, using Logic Apps REST API & the Microsoft Graph API to retrieve user attributes. 

Disclaimer: Azure Logic Applications do not do well under heavy load. See the limits here from Microsoft before you implement this in a production environment. Generally speaking, the activity of the Logic App will be better performing on an App Service Plan or Azure Function. 

Azure AD B2C is an amazing offering from Microsoft that allows SaaS providers to offload their identity service to the cloud. Traditionally used for scenarios where integration with a social identity provider is desired, B2C whilst using the Identity Experience Framework (“custom policies / advanced policies”) can support the integration of any OAuth/OpenID Connect or SAML 2.0 Identity Provider, including Azure AD.

Why Azure AD B2C?

The business use cases for this are solid. With more than 8 million tenants in Azure AD, a company could enable “Sign in with Azure AD” and support SSO with arguably most enterprise organizations.

Integrating Azure AD & B2C has been documented by Microsoft, but there are some important gaps.

  1. B2C will only retrieve the ‘id_token’ from Azure AD, no ‘access_token’
  2. The ‘id_token’  will only contain the standard set of claim types listed here. This means our application will not be aware of claims such as title, mobilePhone, email address, or any custom attribute that we wish to deliver to the relying party (application).

Microsoft Graph & Azure Logic Apps

The solution to these gaps is proving a REST API that B2C will interact with to retrieve the user attributes.

General summary –

  1. User clicks “Login” to application
  2. B2C sends user to Azure AD Sign in page
  3. User Signs in
  4. Azure AD sends id_token to B2C (with objectid of user)
  5. B2C sends the ObjectID to the Logic App
  6. Logic app looks up user via the Graph API, sends rest of attributes to B2C
  7. B2C sends entire claim to relying party, either via SAML or JWT (OpenIDConnect)

Getting Started

Before getting started, you should have a complete B2C tenant, a POC application, and sign in with Azure AD already configured. A guide to this is provided by Microsoft here.

Microsoft Graph Application Registration & Authorization

In order to query the Graph API, we need to register a Microsoft Graph application. This is done via https://apps.dev.microsoft.com.

  1. Create an app
  2. Record your client_secret (application id)
  3. Generate and record your application secret
  4. Add Platforms > Web > Configure “http://localhost” as the redirect URL.
  5. Add Application Permission “User.Read.All”
  6. Save

Now that the app is registered, you must authorize it to query against your directory. B2C will only be sending the Object ID and tenant to the application, no access_token, so the application needs to have pre-authorization.

  1. Construct a request URL

https://login.microsoftonline.com/<tenant name>/adminconsent?client_id=<application_id>&redirect_uri=http://localhost/#

Tenant name = The FQDN of your Azur AD tenant (contoso.onmicrosoft.com)

Application_id = The complete Application ID from the apps.dev.microsoft.com site

  1. Browser to this URL in your browser
  2. Sign in with an adminstrative account of the Azure AD tenant. 
  3. Approve the application
  4. Acknowledge – You’ll be redirected to http://localhost. If the request was successful, you should see a URL  like http://localhost/?admin_consent=True&tenant=6660b467-add3-4d9e-8ada-48b1721959f3

Once you have the app authorized, the application ID and application secret, click the “Deploy to Azure” button below which will configure the Logic App immediately ready for use in your tenant.


Once the app has deployed, get the request URL for the application from within the Azure Portal. This will later be used in your B2C policy.

Integrate Logic App with B2C

Now that the Logic App is deployed, we need to add the Claim Provider and add register the Claim Provider as part of the User Journey. Also, The logic app is developed with multi-tenancy in mind, meaning we can accept requests that come in from any Azure AD tenant. However, the Logic App must know the tenant that is being used so we configure a DefaultValue claim for the Azure AD technical profile to be sent in the claim to the Logic App.

  1. Open your TrustFrameworkBase.xml

Find the tag  <ClaimsSchema>

2. Add the following code snip

3. Open your TrustFrameworkExtensions.xml file

Locate the TechnicalProfile for your Azure AD configuration. Add the following to your list of  <OutputClaims>

Replace tenant-name  with the FQDN of your tenant.

4. Register the technical profile of the Logic App

Immediately after the ending <\TechnicalProfile> of the Azure AD configuration, add the following snipit.

note: You must format your URL to be XML compliant. After each ‘&’ symbol you must add ‘amp;’

Example –

 

5. Add the Logic App to the User Journey

Locate your default UserJourney. This may be in your TrustFrameworkExtensions or Base file. Locate where your orchestration step is being executed to call against Azure AD. Immediately after, add the following code. 

Be certain to change the OrchestrationStep Order number.

 

6. Save & Upload your policies. Viola! 

 

Concluding notes

  1. Security – Integrating the Logic App, we rely on the SAS (Shared Access Signature) of the Logic App in the URL as a method of authentication. This is not the most secure approach, as anyone with the URL could query our Graph API. It is recommended if this is implemented in production, that you use Azure API Management as a wrapper around the Logic App to provide authentication and optionally caching.
  2. This example only outlines retrieving the email of the user from the Graph API. The complete list of attributes are located here. https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_get. Make certain to add the claim to your schema before configuring an output claim of the Logic App.

2 thoughts on “A Complete Integration – Azure AD B2C & Azure AD (Graph API, Logic Apps)

  1. Howdy monteledwards.com

    You want quality traffic that Buys From You or Converts into Highly Responsive Subscribers ?
    Then Buy High Quality Solo Ad

    I’ve been in the traffic space for over 5 years and my traffic is:
    * Scalable – I can send anywhere from 100 – 5,000 clicks to your offers.
    * Pre-Qualified – Only the best of the best leads see your offer.
    * Responsive – We regularly get CRAZY results for our vendors (read our reviews).
    * Unsaturated – We use a unique marketing mix to get our leads !!
    * I have a unique system that sorts and optimizes the traffic that is delivered to you.
    * My system delivered unique and highly qualified traffic to your offers ANYTIME YOU WANT!
    * And it’s always going to be fresh, I wouldn’t let you buy from me if it is not.
    * The traffic that you get with my solos is not shared with thousands of other marketers.

    We help you grow your business because we understand that our business growth directly depends on our ability to GROW YOUR BUSINESS.
    That is the only reason we have flourished for over 5 years whereas other solo ad vendors struggle to get sales.
    We maintain quality over quantity.

    IF YOU’RE INTERESTED, CONTACT ME ==> [email protected]

    Regards,
    Axyy

  2. Hello there monteledwards.com

    You want quality traffic that Buys From You or Converts into Highly Responsive Subscribers ?

    I Will Promote Your Business In Worldwide To Any Niche …
    – I search in google after the keyward offered by you in order to find sites;
    – I will ask the site administrator if he is interested in your offer;
    – The process continues on many sites until you get all the vizits promises.

    So you can contact the right audience with offers, driving traffic to your website:
    – Show your business/services/video’s to a targeted audience;
    – Requesting link exchanges from other sites in a similar niche;
    – Contacting webmasters about potentially advertising on their sites;
    – Sending out guest posting and submission requests;
    – Getting in contact with potential affiliates to show your services or products;
    – Contacting a targeted audience to submit press releases;
    – Locating the right people to review your product and services.

    I can send your offer on:
    – Country Desired (only the country you specify)
    – 80% TIER 1 Countries Guaranteed (USA, CA, GB, AU, NZ, IE)
    – Niche Desired(only the keywords you specify)

    We help you grow your business because we understand that our business growth directly depends on our ability to GROW YOUR BUSINESS.

    IF YOU’RE INTERESTED, CONTACT ME ==> [email protected]

    Regards

Leave a Reply

Your email address will not be published. Required fields are marked *