Azure AD B2C with External Identity Provider and Roles

Question

I am looking into leveraging B2C for the following scenario:

1. Allow my partner organizations who currently have Azure AD accounts to sign in to my application.
2. I do not want to enforce the user to sign up for a new account in my system. I want them to be able to use their own account without the need to me to manage their accounts (such as reset passwords).
3. I need to be able to identify some users from my partner organizations as "Admins" within my application. If the user is not an Admin, they are automatically a "User". I want my partner organizations to be able to configure what employees from their organization are admins.
4. I also need the ability to have local accounts that I can create for users who are in organizations who do not have the option to provide an external identity provider.

My understanding is that I can do this with Azure AD B2C, but I would have to create the functionality internally to be able to manage what users are the Admins. It is my understanding that I would have to maintain a list of users who are admins in a local database and then during the sign in flow, I would have a Journey/Orchestration step that would call an API to determine if the user is an Admin and add if so, add a claim to the JWT Token.

Is my understanding correct?

Answer 1

You can federate B2C and Azure AD.

This will allow points 1 through 4.

See the section in the link "Configuring optional claims". This will allow you to pass Azure AD claims (e.g. Admin) to B2C.