Reputation: 667
Can a tenant resource be shared with a different (B2C) tenant user after authenticating?
I would like to give a B2C tenant (b2ctenant.onmicrosoft.com) access to a function app that sits in my main subscription tenant (e.g. company.com).
So if a user is authenticated with a B2C tenant (b2ctenant.onmicrosoft.com) how can I give him authorization to use a resource at a different tenant (company.com)?
I tried giving an App in the B2C tenant (b2ctenant.onmicrosoft.com) permissions to resources of the company.com tenant but the APIs or resources of company.com don't show as available to add permissions for the B2C app.
EDIT: Edited with settings and error results trying @Jas Suri - MSFT guidance:
Unable to resolve snapshot:
I get Issuer URL from B2C user flow->Run User Flow which opens and at the top shows a link that if followed shows Issuer URL https://XXX.b2clogin.com/XXX.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_XXX_userflow
But I also tried but got the same error with Issuer URL as you said using the URL from B2C user flow->Run User Flow URL at the top: https://XXX.b2clogin.com/XXX.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_xxx_userflow
The Error message at Identity Provider is "Application with ID [weapi in B2C tenant] not found in the current tenant. Tenant ID: [ID of Contoso tenant]" and makes sense because the webapi is in the B2C tenant, not in Contoso
I can't use Authentication (Classic), it's stuck and won't let me use it, can only go back to Authentication:
There is no "Disable" option in the Authentication blade, only to allow unauthenticated access. I do this but I still can't use Authentication Classic and shows the same message as before - This app is configured using the new authentication experience. Click here to access Authentication (preview).
Upvotes: 0
Views: 262
Answers (1)
Reputation: 11315
B2C tenant:
1.1. Create Application Registration for your Web App
1.2. Create Application Registration for your Web API (Function App)
1.3. Expose a scope on the Web API App reg
1.4. Add a permission to the Web App App reg for the scope in (3). Grant Admin Consent.
1.5. Open the "Run Now" link of your AAD B2C User Flow/Custom Policy and note the /.well-known/openid-config URL at the top of the blade
Contoso tenant:
2.1. Create your Function App
2.2. Configure it with AAD Authentication
2.3. Use Advanced authentication option
2.4. Enter the clientId from [1.1]
2.5. Enter the Issuer URL as the value from [1.5]
The Azure Function will only accept tokens from one single AAD B2C User Flow [1.5] authenticated through the Web App from [1.1].
Upvotes: 0
Related Questions
- B2C users with multiple identities
- AD users in B2C tenant
- Azure Authentication with two tenants
- Azure Ad B2C Users access resources in other directory
- Azure B2C: Enable other devs to access B2C Tenant via their Microsoft Accounts
- Azure AD B2C Custom identity provider
- Access to Multiple tenants on Azure AD using single sign on
- Azure ad b2c multi tenant
- Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies
- Which Azure AD Tenant will be chosen in the "common" endpoint when user has access to more than 1 tenant? Can the user control it?