Azure AD B2C Support

[markti]

Does this provider support Azure AD B2C? If not, what provider can I use to support Azure AD B2C?

[mikebollandajw]

i am also interested in this

[jackbatzner]

I'd love this as well!

[hhao01-becls]

For application, we can use this provider to create an application in the B2C directory.

The key point it that you must manually create a service principle and use this service principle to create an application the B2C directory by Terraform.

The example is below.

provider "azuread" {
  version = "=0.3.0"
  subscription_id = "There is no subscription in the B2C directory, so you can use the tenant id as subscription id."
  client_id = "The id of service principle"
  client_secret = "The secrect created in the service principle"
  tenant_id = "tenant id"
}

resource "azuread_application" "example" {
  name                       = "example"
  homepage                   = "https://example"
  reply_urls                 = ["https://example"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

[hhao01-becls]

Do we have any plan to support Azure Active Directory B2C? We can use azuread provider to create an application in the B2C directory. We also need the following supports:

• Trust Framework policy (custom policy)
• User Flow

For now, the beta version in Microsoft Graph is in preview, which supports managing the Trust Framework policy and user flow. The details refer to trustFrameworkPolicy resource type and UserFlow resource type

[AshleyPoole]

Would love this too!

[manicminer]

Unfortunately at the moment the Azure SDK for Go doesn't support MS Graph, so we can't yet manage B2C policies or user flows.

You should however, as mentioned by @hhao01-becls, now be able to manage B2C Applications using the azuread_application resource since these were recently made cross-compatible with regular app registrations.

[erikanderson]

When creating a new application in B2C there is the option under Supported Account Types for "Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C."

I know that azuread_application has the param available_to_other_tenants https://www.terraform.io/docs/providers/azuread/r/application.html#available_to_other_tenants however I don't think there is a param that can configure an application with that Supported Account Type.

I am playing around with this and will update here if I find anything further.

Edit: It appears this is a limitation of the current Go SDK which is not using the Microsoft Graph API. With Graph you can configure an application like:

"signInAudience": "AzureADandPersonalMicrosoftAccount",

https://docs.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-beta

[bytemech]

This would be great!

[kenorb]

Btw. azurerm provider supports some B2C resources, e.g. api_management_identity_provider_aadb2c.

[dvdvorle]

Would this scenario be enabled by the 2.0 milestone? Currently I get

│ Error: expected sign_in_audience to be one of [AzureADMyOrg AzureADMultipleOrgs], got AzureADandPersonalMicrosoftAccount
│
│   with [...],
│   on [..] line 9, in resource "azuread_application" "web":
│    9:   sign_in_audience = "AzureADandPersonalMicrosoftAccount"
│

[manicminer]

Support for all values for sign_in_audience was already merged in preparation for 2.0, see #461. Thanks!

[jashby44]

@manicminer I know 2.0 isn't released yet, but can I use a dev version now with a different source in required_providers? Happy to test and leave feedback.

[manicminer]

Hi @jashby44, we don't have a pre-release build, however you should be able to build it locally from main, although I wouldn't recommend running in production as there are still some known bugs.

[jrasanen]

There are now APIs for creating AD B2C tenants programmatically, so is the "upstream" issue tag fixed, or is it still pending the Azure SDK for Go?

[manicminer]

@jrasanen Thanks for pointing this out! As this is a Resource Manager API, the corresponding resource to create/manage a B2C tenant and it's subscription association will be implemented in the AzureRM provider. The AzureAD provider will implement any resources which can be managed via Microsoft Graph (or potentially any future B2C-specific APIs), to manage the constructs within a B2C tenant.

I have opened an issue to track this: https://github.com/hashicorp/terraform-provider-azurerm/issues/13396

[helvetia-regel]

Linked or not: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_policy

Does the above allow for the definition of custom policies via their own XML files?

@hhao01-becls the microsoft graph client has apparently been upgraded to support the upload of policies. It is used in Github action workflows, which sound like an acceptable alternative if terraform cannot write these custom policies.

[jarifibrahim]

Hi @manicminer! Would you be open to accept a PR for adding support for B2C Userflow resource to this provider https://learn.microsoft.com/en-us/graph/api/resources/b2cidentityuserflow?view=graph-rest-beta ?

I see that azuread uses https://github.com/manicminer/hamilton/tree/main/msgraph as the Microsoft Graph API client but the client doesn't support B2C UserFlow related graph APIs. Would it be okay to integrate microsoftgraph/msgraph-beta-sdk-go https://github.com/microsoftgraph/msgraph-beta-sdk-go/tree/main/identity/b2cuserflows which has the required API support?

[manicminer]

@jarifibrahim We would definitely like to support this, however we are first looking to implement support in the provider for pinning, or otherwise asserting, the API version - due to this resource only being available in the beta API at this time.

We are not currently looking to use the official SDK(s).

[jarifibrahim]

@manicminer is there an ETA on how long would it take to add support for pinning a version?

We are not currently looking to use the official SDK(s).

May I ask why? I am happy to add support for user flows to https://github.com/manicminer/hamilton/tree/main/msgraph as well.

Edit: Created https://github.com/manicminer/hamilton/pull/179 for adding B2C User Flow API support.

[ghost]

Is there any possibility to create User Flows and generic OIDC Identity Providers in a B2C tenant at this time?

[ilmax]

@manicminer I saw a PR for user flow that got incorrectly marked as being released in version 2.35 but it was apparently never merged, any reason why that one was closed? I was looking forward to it. Can you shed some light on the status, please? AFAIC support is there in the hamilton library

[manicminer]

@ilmax Great question! Apologies, I closed that PR but forgot to update the milestone or post an explanatory comment. I've added that now, please see https://github.com/hashicorp/terraform-provider-azuread/pull/1009#issuecomment-1513891386

[itpropro]

Azure AD B2C will probably be superseded by Entra External ID for customers in the future and it looks like most of the effort goes into that instead of AD B2C. Also, Entra ID for customers seems to have proper APIs for configuration and fortunately dropped the whole Identity Experience Framework in favour of a more modern hook system called authentication extensions. Therefor I think this issue can be closed and a new one for "Entra External ID for customers support" could be created.

[rmihael]

Entra External ID looks nice, but AD B2C will be supported by MS until at least May 2030 (https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#whats-happening-to-azure-ad-b2c-and-azure-ad-external-identities). Migrating from AD B2C is far from trivial, at least for now. Also External ID still lacks many features and will require time to catch up with AD B2C. Until then both existing and new deployments will benefit from support in Terraform. In particular, https://github.com/hashicorp/terraform-provider-azuread/issues/715 feels like the most obviously missing.