Azure B2C - Best Way to Manage Access to Application via B2C?

devopsfj 201 Reputation points
2023-07-04T09:58:28.0866667+00:00

Hello,

We are currently implementing Azure B2C with our application.

We need to be able to manage access to our application using Azure B2C... for example, we need some mechanism of our application reading an attribute (or something similar) and then deciding what the user can see in the application.

For example, if a user has an 'admin' attribute, they can view all pages of the application, if a user has a 'user' attribute, they can only view certain screens in the applications..

We also need Admin's to be able to manage users from the application, so adding new users, deciding their roles and permissions etc..

How would be best to implement this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,702 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Konstantinos Passadis 19,166 Reputation points MVP
    2023-07-04T10:19:31.77+00:00

    Hello @devopsfj !

    I understand you need some guidenace to implement Access Control with Azure B2C for your Application

    Here are some suggestions to start with :

    • You can start by defining custom attributes in your Azure B2C directory that represent the roles or permissions you want to assign to users. For example, you can create attributes like "admin" and "user".

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-user-flow

    • Configure your application to use Azure B2C for user registration and sign-in. When users register or sign in, you can collect additional information such as their role or permission level through custom fields. For example you can add a Job Role that will define the permissions of the user

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-sign-up-and-sign-in-policy

    • In your application, retrieve the user's role or permission level from the claims provided by Azure B2C during authentication. You can use this information to control what the user can see and access within your application. Implement authorization logic to enforce the appropriate access controls based on the user's role or permission level.

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/idp-pass-through-user-flow?pivots=b2c-user-flow

    • Leverage Azure B2C's built-in user management APIs. These APIs enable you to programmatically create, update, and delete user accounts, as well as manage their attributes and roles. You can provide an admin interface in your application that utilizes these APIs to perform user management operations.

    https://github.com/azure-ad-b2c/api-connector-samples

    • RBAC is another mechanism to control Access and Permissions

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/roles-resource-access-control

    These are standard capabilities and design considerations regarding Azure B2C Integration

    You can expand to the level of your choice and provide a powerfull Registration and Access Control Mechanism with Azure B2C

    More Samples :

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/integrate-with-app-code-samples


    I hope this helps!

    The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


  2. Konstantinos Passadis 19,166 Reputation points MVP
    2023-07-04T16:46:01.2+00:00

    Hello @devopsfj !

    As we can read

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/faq?tabs=app-reg-ga

    Can I use group-based assignment for Azure AD Enterprise Applications in my Azure AD B2C tenant?

    No, Azure AD B2C tenants don't support group-based assignment to Azure AD Enterprise Applications.

    Azure B2C does not natively support using groups for access management like Azure Active Directory (AAD) does. However, you can achieve a similar result by leveraging custom attributes and roles within Azure B2C.

    I dont have something to show you for this specifically but you can look up the links i provided

    However :

    You may want to rethink your approach

    Azure B2C is primarily designed for customer identity and access management scenarios.

    Maybe Azure AD is closer to what you are trying to achieve

    Have you seen the SCIM approach ?

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim

    Let me know your thoughts or kindly Accept any answer that may have helped you!


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.