Multi-Teant Azure AD auth in b2c with custom policies.

[monty-dev]

I am trying to use Azure AD auth in b2c using the /common Azure AD enpoint. According to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#update-your-code-to-handle-multiple-issuer-values, there needs to be a mechanism to either 1.) Allow multiple issuers, or 2.) Specify a list of issuers b2c can validate against. I do not see any possible setting in the custom policies XML that would allow this. I was able to get Azure AD auth created sucessfully, just not multi-tenant now.

[parakhj]

@rojasja for awareness

We do not support multi-tenant apps or the /common endpoint. I would recommend requesting the feature here to help us prioritize it.

[dominicusmento]

According to this: active-directory-b2c-advanced-policies/Walkthroughs/IdP-AzureAD.md it is supported. However when I set it up, i get an error: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*' although the reply URLs have been configured and set to: https://login.microsoftonline.com/(B2Ctenant).onmicrosoft.com and https://login.microsoftonline.com/te/(B2Ctenant).onmicrosoft.com/oauth2/authresp I also want to emphasize that this was working last Friday (15th of September 2017). I didn't change custom policy configuration at all and it didn't work anymore on Monday. May I have an official confirmation that MultiTenant B2C custom policy still can't be configured or any hint about this error?

[monty-dev]

@tomidix we have been using multi-tenant auth for a while now and it does work. Perhaps share the configuration of your technical profile

[dominicusmento]

@monteledwards here is the whole ClaimsProvider, App to which TechnicalProfile is referenced is created on portal.azure.com -> AD B2C -> Applications (not on identity.microsoft.com nor apps.dev.microsoft.com; I tried applications from there too but they didn't work either). The process of login starts normally, user logins ok, on a first run user consent is invoked, and after that there is an error which I mentioned in previous post.

<ClaimsProvider>
  <Domain>MultiTenant</Domain>
  <DisplayName>Login using Azure AD</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="MultiTenantProfile">
      <DisplayName>AzureADAccount</DisplayName>
      <Description>Organizational or Microsoft Account</Description>
      <Protocol Name="OpenIdConnect"/>
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
        <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
        <Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
        <Item Key="client_id">{AppID}</Item>
        <!-- AppID from B2C tenant's WebApp Application -->
        <Item Key="IdTokenAudience">{AppID}</Item>
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
        <Item Key="scope">openid profile</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="response_types">id_token</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_MultiTenantSignInKey"/>
        <!-- AppSecret from B2C tenant's WebApp Application, saved to policy keys in Azure -->
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
        <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="contosoAuthentication" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureADContoso" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

[monty-dev]

The application that is to be configured in your technical profile needs to be registered as a regular AAD application. I recommend you start over using the guide here https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Verify that you can sign in to your own tenant, and then switch the configuration over to multi-tenant by enabling the app to be multi-tenant, and then update your TP configuration

[dominicusmento]

I did that before and got an error: AADSTS70001: Application 'AppId' is not supported for this API version. I didn't try at all to use MultiTenant v1 for TP config because we have to use MSAL, so only v2 plays a role for us. Do you use MultiTenant v1 or v2? Now I tried to create new, converged (v2) app in the regular Azure AD of my regular tenant (not b2c tenant) but it finished with the same error as before: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'

Verify that you can sign in to your own tenant...

I can do that, this works and I have no problem with this step. Only the multi-tenant doesn't work.

Thanks for your help!

[gsacavdm]

This error:

AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'

Is a bug on the AAD side that hides the real error which is that your reply URLs don't match. I would double check that the reply URL on the AAD side (the v1 multi-tenant app, not the B2C app).

Also, double check that you are setting:

<Item Key="UsePolicyInRedirectUri">false</Item>

[dominicusmento]

Thanks for the answer. I've managed to make it work. Yes, you are right. It needs to have UsePolicyInRedirectUri set to false. I didn't change my reply urls so I think that the mentioned error is shown where the reply url has nothing in common with the error and does not cause it.

[nileshanchan]

I am using custom policy which is integrated with B2B and B2C as per link https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom. I am able to get the username and email from B2B users after adding

in relying party but not able to get the all the user details for B2C users.

[monty-dev]

Azure AD id_tokens will not return the email address. To do so, you need to query the graph API. I wrote a guide to this here. http://email.monteledwards.com/c/eJxFUE1vgzAM_TVwS-UESMiBQ4fWw7qpUvcl7eYkDkSiwFK6qv31S7vDLOtZfs96lu0aQqyUykPTrp-_w_vntWvjuR1Hha_ALqWVL-x4br92H3572r_vFlZd3kR8fPrZ7tdZCQcMw6q7o50Oed8Yh-B0CZI7U0gBmspa8kIIqwpjsMqHpl-W-ZgV60xsUh6mcaGB3BmjO95MEieAq1Q43KBOgCwJ80ALsZDGu4hLmEaG11Mkho4ZYf-bpM49wzmwYepCEua0Tmzy2ESah0smHoCjpKquQdRUWdKKsPTGcWUseqmxrpSAQgv0wnLnSy2sh7_gXIIh7xKHXGpLQIDeGUjPuNuvurD0J3O75BemTW2U

On Sat, Oct 28, 2017 at 2:12 AM nileshanchan notifications@github.com wrote:

I am using custom policy which is integrated with B2B and B2C as per link http://email.monteledwards.com/c/eJx1kM1qwzAQhJ_GvslIa8myDz6kpj00LYH0D3pbraREEMepLCc4T18nPXdYZuA7DOzY1iEqrfPQdquXn_Dxdd118dIdjxrfOJslVa9svHTfm0-_nrYfm8TU_A7x8fm83q4yyXsMh2J3dxr6fN8KAWAkKiiVLgGk9ISgoSRQhjS3-aHdp3Qas3KVwdNydqCx6APFYRx8urUs0B3ZNC6J1ym6W1IKZ8dsiI7SEGdmgP7BbHRpOjFEy2ga09AXeWyjOx3mDB64wMqpuuZQO0Wu0Q6lN1ZoQ-irBmulgZcNoAcS1ssGyPM_CVFx47xdGIqqIccdR28NX1a41xe7kPaTuX3wC5xLbPw I am able to get the username and email from B2B users after adding

in relying party but not able to get the all the user details for B2C users.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub http://email.monteledwards.com/c/eJxFkE1vgzAMhn8N3FLli0AOHBjaDuumSu26Sb05idNGAsoCtKK_fowdZlmWH8vvK9muRIAsz9NQ1tXbdzh-Pc51vNddl8OBklla9U6Ge33affrttD_uRpLNHzw-v962-yqRtIXQbM5rtdc2vZTOCBQIwlBNpRRacAFUekSrWIEO06a8jGM_JKJK-MuS5zBeJvOrXqB6TBHJAdq-wWFhsGO4IXEhoh2vcSaGWwLuBp1FR_prE2xYF8MwTGtTJFyssBi22I1ESMoyniuWxjJi38wJf6IMFGZFQXmBmUWdI0hvHMuNBa80FFnOqdAcPLfMeam59fQvGFPUoHfLDJjSFilS8M7Q5Rmr_eb_oB8Wl27h, or mute the thread http://email.monteledwards.com/c/eJxFUMtugzAQ_Bq4ERnH2PjAgaK0VR5NlJY0yW39AqcEUmwapV9fmh66Wq00I81oZ1SmARLGQpsV-fLTlu_fVdFfi7Zl8IqiG5F0FblrcVzvzGLYlmsfJbc33M_mX4ttHhB0BttMqvuV3TmsMxQrJKgwVKcpYYrrKUgDXAHjAMTwsMlq7y8umOYBfhy3sr4exK96BG3nrbESvO1aN-KhdYNwsrdCRzD4eqRyEI2dHRbLV-kP8vS82jzJTUnXXbXbk5OXHy5xV78pK5hfjivyQtxehH3W60tzC_ADioHqJE0RTnUiNWd6_EqomAkJhnJIE4bRlGMwWMbKEI6lQX8TxxQJbdTIQUy51EgjMEqgsYe7_eQ_yw_qFG7l .

-- Sent from Gmail Mobile

[TiagoBrenck]

@parakhj is the multi-tenant scenario still not available in B2C?