Azure AD B2C integrating with corporate (Azure?) AD accounts
We would like to use Azure AD B2C for our web applications to allow users to sign in either with a 'local' account/password or use their social accounts (Facebook, etc). https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview
However, in this application, we are likely to be targeting organisations, so we would also like to integrate with a company's existing Azure AD corporate accounts. That way the user doesn't have to create a new account and can use their existing corporate account.
It turns out that there is a (new) feature within Azure AD B2C which allows you to explicitly link to an external Azure AD account by using a custom policy as described here: https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
Unfortunately, this only works if we know in advance which external companies we need to link with and add in specific configuration. It also leaks information about who is using the app, because the company names become listed as options on the sign-in page.
I've also looked at the Azure AD B2B features, but I don't think that this fits properly either.
What we'd really like is for Azure AD B2C to offer a generic sign in to a (corporate) Microsoft account', which detects whether that email address is already handled within any Azure AD systems; if it is, it then delegates authentication to that system, but if not, it will fall back to an Azure AD B2C local account.
This generic login already works for access to standard Microsoft apps, such as their portals. Does anyone know if this is possible within Azure AD B2C, or have any potential timescale for when it may become possible? Are there any alternate systems which may be able to offer similar functionality?
What you are referring to is having Azure AD in multi-tenant mode, added as an identity provider to Azure AD B2C.
From: Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies
In order to support multi-tenant Azure AD, you'll need to configure your ClaimsProvider in the custom policy with different values.
Use the values below, making sure you replace with client_id and IdTokenAudience.
<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
<Item Key="client_id">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">id_token</Item>
<Item Key="IdTokenAudience">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>
CAUTION: This functionality isn't officially even in preview yet, so use with caution. Keep monitoring the official "Sign in by using Azure AD accounts" documentation to see when this is fully documented and supported.
EDIT: Make sure you flip the Multi-tenanted
switch in the App's settings, otherwise you'll get the following error:
AADSTS70001: Application with identifier '(guid)' was not found in the directory (our company's primary domain)
Azure AD B2C does not officially support a multi-tenant Azure AD identity provider. You should vote for the feature here so it can help prioritize it and so that you can be contacted when the feature is in preview.
There is a potential workaround if you have a limited set of Azure AD tenants that you work with. You could build a page in your app where the user types in the email address. Based on the email address, you can use the domain_hint parameter when calling Azure AD B2C to redirect them directly to the right sign-in page.
链接地址: http://www.djcxy.com/p/96966.html