Azure active directory B2C

Iheb Jandoubi 5 Reputation points
2023-10-25T21:32:19.4833333+00:00

I am using azure active directory to handle authentification in my application! i have register my app-spa in azure active directory b2c and my-api , exposed the dfifferent APIs! now there's some api accessed only by User and other one only by Admin ! how can i achieve this using azure B2C?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,104 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,771 Reputation points Microsoft Employee
    2023-10-30T07:58:54.33+00:00

    Hi @Iheb Jandoubi ,

    Thanks for reaching out.

    There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However, there are the ways to implement RBAC using Azure AD B2C.

    Approach 1:

    Any roles that you specify using the App Registration blade are applicable and returned in token only when the authentication is done against standard Azure AD and not Azure AD B2C.

    You should consider using specific attributes that are collected from the user(s) during Sign-up or inserted by RESTful API Connector or set by using Graph API patch calls. Then use the Attribute value to distinguish between the users who should get access to the API and who should not. Once done, you can use Claims-based Authorization.

    Approach 2:

    You can add users to Security Groups and check if the users are members of those groups, as documented here

    Approach 3:

    • The API connectors Custom Policy can be used to call a RESTful service, such as the MS Graph API.
    • The example linked in the post gets the "Groups" that the user is assigned to, calls the REST function from the sign-in user journey - in a step prior to sending claims so that the JWT Token contains the Group Claim.
    • From there, the validation technical profile can be conditionally executed based on preconditions defined in the ValidationTechnicalProfile element. For example, you can check whether a specific claim exists, or if a claim is equal or not to the specified value.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments