Get access to Azure Blob storage and Key Vault from Azure ad B2C account

Question

I made an App in Azure to get access to storage blob and key vault. I used Azure AD tenant(with AD users).

All I need from that App is:

• Upload file to Blob
• Download file from Blob
• Delete file from Blob
• Generate SAS
• Get value of secret from Key Vault.

In Azure AD tenant it works fine. I can request to login.microsoftonline.com with user_impersonation scopes like https://storage.azure.com/user_impersonation and https://vault.azure.net/user_impersonation to get access token enter credentials and get token to my back-end to do all this things listed above.But later customer desided to use custom UX(to hide Microsoft login page) and only one way to get this is to use B2C and local accounts. Afer weeks of exploration I was ready to give up.
Moreover, if you look at these azure-b2c-users-with-dedicated-azure-cloud-resources questions and answers, you can decide that it is impossible to get access to Storage Accounts and Key Vaults from Azure AD B2C for local users.

BUT

I created Subscription, created and link to this Subscription B2C tenant. Moved that subscription into the B2C tenant and able to create Key Vault and Storage accounts. I created them. And after that in App registrations in Api Permissions I've got this
![9141-for-msdn-1.png][2]

It looks very similar to what I saw in Azure AD and I had got hopefulness. I've created a user_flow and got token from link:

https:/<domain_name>.b2clogin.com/<domain_name>.onmicrosoft.com/oauth2/v2.0/authorize?
p=B2C_1_signin&
client_id=<App_ID>&
nonce=defaultNonce&
redirect_uri=https%3A%2F%2Fjwt.ms%2F& // https://jwt.ms/
scope=https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation& // https://storage.azure.com/user_impersonation
response_type=token&
prompt=login

In decoded token claim "aud" has id the same as Azure Storage API from APIs my organization uses tab when I register App, "scp" is "user_impersonation". But using this token i can't get access to storage using Postman (I use it as Bearer token) For example GET request to https://storageName.blob.core.windows.net/?comp=list must return json with list of containers(and in Azure AD it's work) but with this token got an error

<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:49873755-401e-0065-0dd0-386211000000
Time:2020-06-02T11:24:57.3079213Z</Message>
<AuthenticationErrorDetail>Signature validation failed. Signature key not found.</AuthenticationErrorDetail>
</Error>
1: https://social.msdn.microsoft.com/Forums/azure/en-US/06a8f3cd-7dac-4414-ad45-78693da6ddaa/azure-b2c-users-with-dedicated-azure-cloud-resources?>forum=WindowsAzureAD
[2]: /api/attachments/9141-for-msdn-1.png?platform=QnA

To get token with right permissions I tryed scopes like https://*.dfs.core.windows.net/user_impersonation and https://storageName.dfs.core.windows.net/user_impersonation.

First returned error like

provided in the request is not supported.

second:

AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.

At that stage I had got hopefulness again. But I have no idea how to set additioal permissins for this App. Using portal its impossible

So, is it possible to get access to Storage and Key Vault for local users in B2C?

May be I need investigate another ways like custom policies?

Thank you in advanced

Answer 1

Hi @Dim

Accessing Key Vault & Storage is not supported with token obtained using B2C user flow or custom policy. You can request a token using same way that you used with standard Azure AD i.e. using login.microsoftonline.com for B2C tenant as well and access KV or Storage using that token.

There is an active feedback regarding this feature here:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35664649-azure-key-vault-compatibility-with-azure-ad-b2c. Please vote for it so that our product team can prioritize this.

-----------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

Answer 2

Thanks for your fast answer, @AmanpreetSingh-MSFT

I'm noobe in Azure and may be in logic.
I need to clarify your answer.

Accessing Key Vault & Storage is not supported with token obtained using B2C user flow or custom policy.

I can't

You can request a token using same way that you used with standard Azure AD i.e. using login.microsoftonline.com for B2C tenant as well and access KV or Storage using that token.

I can?

There is an active feedback regarding this feature here...

I can't, but i can vote for this so you could ever do it.

The most interesting part of your answer for me is were "I can request a token using same way that you used with standard Azure AD i.e. using login.microsoftonline.com for B2C tenant as well and access KV or Storage using that token."

May be you have clear example or tutorial.
Please, gave me the link

Thank you.