Share via

Azure B2C for Azure AD Multitenant login (Migration)

Mark Walsh 41 Reputation points
2022-12-13T09:22:11.597+00:00

Hello,

I wish to migrate to Azure B2C so I can support N number of other Identity Providers for our customers who do not use Azure AD.

Currently we've got an Azure AD instance with multitenancy setup (Accounts in any Azure AD directory) but I want to support users authenticating via Google Workspace, Okta, >Insert SAML provider< etc. I only use Azure AD currently (and will only use Azure B2C) for authentication; not authorization; that's handled internally by my application.

I am just trying to piece through the documentation but would the process would roughly be for this?

  1. Add Azure AD to Azure B2C as an Open ID Connect provider (pointing to my multitenant Azure AD instance)
  2. Add other IdPs via the same method (hopefully multitenancy Google Workspace via the same method)
  3. Follow one of these processes to perform a JIT user migration - https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-migration so any user can "login"

Thanks in advance

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-12-15T10:04:24.507+00:00

    Hi @Mark Walsh ,

    Thanks for reaching out.

    I understand you are trying to migrate to Azure AD B2C to allow users from different identities to access your application.

    You can achieve this easily using Azure AD B2C which is different service from Azure AD but built on same technology. Azure AD B2C supports external identity providers like Facebook, Microsoft account, Google, Twitter, and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols.

    Add Azure AD to Azure B2C as an Open ID Connect provider (pointing to my multitenant Azure AD instance)

    Azure AD B2C allows you to enable sign-in for users from multiple Azure AD tenants. B2C has predefined built in flows to signup, sigin and other user experience. You can create complex user journeys by custom policies which are not supported by user flows.

    Azure AD B2C user flow allows you to signin users for specific Azure AD tenant. However, to access application from multiple Azure AD tenants you can configure custom policy as mentioned here where ValidTokenIssuerPrefixes parameter allow multiple Azure AD tenants users to sign in to your B2C application.

    Add other IdPs via the same method (hopefully multitenancy Google Workspace via the same method)

    As mentioned above to configure Azure AD into B2C, you can configure different Idps using user flow or custom policies in similar way.

    Hope this will help.

    Thanks,
    Shweta

    -------------------------------------

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.