ADB2C RESTful Technical Profiles blocked by WAF

Anonymous
2022-02-03T00:32:34.503+00:00

Hi there

I am encountering a problem when trying to make a RESTful call from a Technical Profile within an ADB2C custom policy.
The problem is, my requests are being blocked by the WAF which my destination service sits behind.
I can make an exception to the WAF rules of course, however I would like to do this carefully.

I am thinking between one of two options:

Option 1
Add a new exception to the WAF rules which:

  1. Whitelist the ADB2C IP address range
  2. Whitelist requests which contain a specific API Key

Pros:

  1. Is entirely possible on the WAF side.

Cons:
1. I am not sure how to find the ADB2C IP Range
2. not standard practice validate an API Key in a WAF rule.

Option 2
Proxy the request first so I can control the User-Agent and other headers (including an API Key).

Pros:

  1. gives full control over the request, no need to alter WAF rules.

Cons:
1. I am unsure how to lock down the proxy to only accept requests originating from my ADB2C instance.

Essentially I am unsure about two pieces of information:

  1. Whether the IP Range for ADB2C is well defined, and whether I can actually whitelist these addresses
  2. How to go about setting up an exclusive proxy that cannot be used by others

Can anyone fill in my missing knowledge here?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,562 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2022-02-07T14:16:38.317+00:00

    Hi @Anonymous • Thank you for reaching out.

    From your question, I understood that you are trying to call a REST API via B2C RESTful Technical Profile but the API is behind a firewall that is blocking the Azure AD B2C requests. You want to know which B2C traffic (IP/URLs) should be allowed through the firewall so that it can successfully call the REST API via RESTful Technical profile.

    I checked internally if there is a defined IP Range/URL List available for Azure AD B2C that can be whitelisted in your firewall but got the confirmation that outbound IPs for REST calls can be any IP Address within the Azure Datacenter range. So the short answer is no, you cannot use whitelisting as a technique for API security.

    As there is no dedicated IP Range/URL List available for Azure AD B2C, you cannot lock down the proxy to only accept requests originating from your ADB2C instance. You will have to accept traffic from the entire Azure Datacenter range.

    Instead, rather than using network security, you should work on protecting the API using authentication schemes described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest