Share via

Azure B2C SSO - Single Tenant, Multiple Applications, Restrict Some Users from Accessing Some Applications

David 26 Reputation points
2022-03-17T18:44:09.443+00:00

Hello,

I'm seeking some feedback and advice on whether B2C can be used to satisfy my SSO requirements.

Let's keep the scenario simple and consider the following:

  • There is a single B2C Tenant - B2C_Tenant_1
  • There is Web App 1 (Web_App_1) registered in B2C_Tenant_1
  • There is Web App 2 (Web_App_2) registered in B2C_Tenant_1

Now, some -- but not all -- users in B2C_Tenant_1 will have access to Web_App_1 and Web_App_2, and there should be an SSO experience for them.

Other users will only have access to either Web_App_1 or Web_App_2.

Will I be able to accomplish this using Azure B2C?

This feels like it is within the realm of authorization, and I recall from an earlier implementation of B2C that I did for a web application that B2C does not support authorization out of the box; I had to set up API connectors to enrich the user access token with application-specific authorization data (e.g. the user's role within the application). So, something I'm wondering is if whether I'll need another custom solution to support my SSO requirements.

Any thoughts or advice or direction to documentation would be greatly appreciated. :)

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2022-03-22T07:48:02.103+00:00

    Hi @David • Thank you for reaching out.

    You can control SSO behavior by using the below settings in Azure AD B2C:

    1. If you are using User Flow, go to properties of the user flow and set below setting to either Tenant or Policy. If you set it to policy, SSO experience between Web_App_1 and Web_App_2 will be provided when both applications are authenticated via same user flow.
      185505-image.png
    2. If you are using a custom policy, you can set the above setting by configuring the SingleSignOn Scope to either Tenant or Policy in the RP file (signup/sign-in file).
      185517-image.png

    With the above configuration, users with access to both Web_App_1 and Web_App_2, will get SSO experience. Whereas, for the other set of users who have access to Web_App_1 but not to Web_App_2 or vise versa, you will have to configure applications to perform the authorization. As you already know, you can use API connectors to enrich the user access token with application-specific authorization data. You can also use this approach without using the API connector if the application can distinguish between the allowed and restricted users by looking at a claim populated from built-in or a custom attribute, e.g., allow users with country x and deny if the value of the country claim is y.

    In short, regardless of what approach you choose or your application supports, it is a piece of authorization and has to be done from the application side. You cannot configure it from the B2C side.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. mouadh fares 0 Reputation points
    2024-03-14T10:27:59.67+00:00

    Hi ,
    I have two react apps, one of them is for doctor and the other is for the patient and I'm using the same Adb2c tenant, but the problem is that the doctor can sign in through the patient app and the patient can sign in through the doctor app and that is not correct, I have used the suggestion above but it's not working for me. Any other suggestion please. Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.