I made an App in Azure to get access to storage blob and key vault. I used Azure AD tenant(with AD users).
All I need from that App is:
- Upload file to Blob
- Download file from Blob
- Delete file from Blob
- Generate SAS
- Get value of secret from Key Vault.
In Azure AD tenant it works fine. I can request to login.microsoftonline.com with user_impersonation scopes like https://storage.azure.com/user_impersonation and https://vault.azure.net/user_impersonation to get access token enter credentials and get token to my back-end to do all this things listed above.But later customer desided to use custom UX(to hide Microsoft login page) and only one way to get this is to use B2C and local accounts. Afer weeks of exploration I was ready to give up.
Moreover, if you look at these azure-b2c-users-with-dedicated-azure-cloud-resources questions and answers, you can decide that it is impossible to get access to Storage Accounts and Key Vaults from Azure AD B2C for local users.
BUT
I created Subscription, created and link to this Subscription B2C tenant. Moved that subscription into the B2C tenant and able to create Key Vault and Storage accounts. I created them. And after that in App registrations in Api Permissions I've got this
![9141-for-msdn-1.png][2]
It looks very similar to what I saw in Azure AD and I had got hopefulness. I've created a user_flow and got token from link:
https:/<domain_name>.b2clogin.com/<domain_name>.onmicrosoft.com/oauth2/v2.0/authorize?
p=B2C_1_signin&
client_id=<App_ID>&
nonce=defaultNonce&
redirect_uri=https%3A%2F%2Fjwt.ms%2F& // https://jwt.ms/
scope=https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation& // https://storage.azure.com/user_impersonation
response_type=token&
prompt=login
In decoded token claim "aud" has id the same as Azure Storage API from APIs my organization uses tab when I register App, "scp" is "user_impersonation". But using this token i can't get access to storage using Postman (I use it as Bearer token) For example GET request to https://storageName.blob.core.windows.net/?comp=list must return json with list of containers(and in Azure AD it's work) but with this token got an error
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:49873755-401e-0065-0dd0-386211000000
Time:2020-06-02T11:24:57.3079213Z</Message>
<AuthenticationErrorDetail>Signature validation failed. Signature key not found.</AuthenticationErrorDetail>
</Error>
1: https://social.msdn.microsoft.com/Forums/azure/en-US/06a8f3cd-7dac-4414-ad45-78693da6ddaa/azure-b2c-users-with-dedicated-azure-cloud-resources?>forum=WindowsAzureAD
[2]: /api/attachments/9141-for-msdn-1.png?platform=QnA
To get token with right permissions I tryed scopes like https://*.dfs.core.windows.net/user_impersonation and https://storageName.dfs.core.windows.net/user_impersonation.
First returned error like
provided in the request is not supported.
second:
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
At that stage I had got hopefulness again. But I have no idea how to set additioal permissins for this App. Using portal its impossible
So, is it possible to get access to Storage and Key Vault for local users in B2C?
May be I need investigate another ways like custom policies?
Thank you in advanced
Ran into the same. Dead link.
Tried to search for the title in the link on the feedback site and found an item with same title. Maybe this is the same. Although it is already 3 years old!!
Azure Key Vault compatibility with Azure AD B2C:
https://feedback.azure.com/d365community/idea/c6da0877-b625-ec11-b6e6-000d3a4f0789