Role based access for webAPI in azure B2C

Question

Role based access for webAPI in azure B2C

dwang 11

I need to limit web api access to some users, not all users, and have different users have access to different API.
how to do it in azure AD B2C?
I know solution for Azure AD, but I need a solution for azure AD B2C.
Please share code and tutorial.
Thanks.

dwang 11 Reputation points

2022-04-20T17:55:08.437+00:00

please help, it is not for conditional login, it is for role or user group based API access/usage.

1 answer

Your answer

dwang 11 Reputation points

2022-04-20T17:55:08.437+00:00

please help, it is not for conditional login, it is for role or user group based API access/usage.

Answer 1

Sreeju Nair 12,666

Azure Active Directory B2C, supports fully configurable custom policies. Custom policies are configuration files that define the behavior of your Azure Active Directory B2C (Azure AD B2C) tenant.
Azure AD B2C uses Azure AD conditional access. You can create a policy that is based on application or user-based / group-based policies.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview

Hope this helps

dwang 11 Reputation points

2022-04-20T17:53:36.143+00:00

hi, you answer it wrong.
I am not asking about conditional login,
I need to know for a regular user who has logged in, how to make him access only web api for users, but not allow him to use web api for administrators.

it is role based access control, not login, may you locate a related expert to answer this? and please provide sample code.
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2022-04-20T22:58:10.343+00:00

Hi @ dwang-4068,

I have reached out to the product team to ask if there is a recommended code sample for this scenario.

We don't have out-of-the-box support for RBAC in Azure AD B2C. Since users are using social identities where they sign up and create the accounts, it would be difficult for the admin to add their accounts to the app assigning the roles to their identities.

However, we do have examples for how to achieve something similar to RBAC using validation technical profiles. You can conditionally execute these technical profiles based on the userType (for example, Partner or Customer).

There are some samples in this repository that may also be helpful for your scenario. For instance, you can add users to Security Groups and check if the users are members of those groups, as documented here. (Example: Authorize by Group)

This will require a custom solution so I have reached out to the B2C team to see if they have a recommended guide for this. In the meantime, I recommend reviewing the examples in the official repository.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2022-04-20T23:09:03.593+00:00
Adding onto what @Marilee Turscak-MSFT mentioned about Security Groups, I found a Stack Overflow post that leverages the API connectors Custom Policy (during sign-in), which might give you another perspective on how to resolve your issue.

The API connectors Custom Policy can be used to call a RESTful service, such as the MS Graph API.

The example linked in the post gets the "Groups" that the user is assigned to, calls the REST function from the sign-in user journey - in a step prior to sending claims so that the JWT Token contains the Group Claim.

From there, the validation technical profile can be conditionally executed based on preconditions defined in the ValidationTechnicalProfile element. For example, you can check whether a specific claim exists, or if a claim is equal or not to the specified value, so you can block user access.

I hope this helps!
Thank you for your time and patience throughout this issue.
AmanpreetSingh-MSFT 56,866 Reputation points Moderator

2022-05-16T14:53:08.283+00:00

Hi @dwang • You cannot use Role-based Authorization with Azure AD B2C as it utilizes IEF (Identity Experience Framework) to specify which attributes should be collected from the user(s) during sign-up and which application claims should be returned in the token after successful authentication.

Any roles that you specify using the App Registration blade are applicable and returned in token only when the authentication is done against standard Azure AD and not Azure AD B2C.

You should consider using specific attributes that are collected from the user(s) during Sign-up or inserted by RESTful API Connector or set by using Graph API patch calls. Then use the Attribute value to distinguish between the users who should get access to the API and who should not. Once done, you can use Claims-based Authorization.

Here is the only sample available that closely matches your requirement: How to secure a Web API built with ASP.NET Core using the Azure AD B2C. Rather than using scope-based authorization, you need to configure it for Claims-based Authorization as mentioned Here.

Share via

Role based access for webAPI in azure B2C

1 answer

Your answer