This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 15%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I need to limit web api access to some users, not all users, and have different users have access to different API.
how to do it in azure AD B2C?
I know solution for Azure AD, but I need a solution for azure AD B2C.
Please share code and tutorial.
Thanks.
please help, it is not for conditional login, it is for role or user group based API access/usage.
Azure Active Directory B2C, supports fully configurable custom policies. Custom policies are configuration files that define the behavior of your Azure Active Directory B2C (Azure AD B2C) tenant.
Azure AD B2C uses Azure AD conditional access. You can create a policy that is based on application or user-based / group-based policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview
Hope this helps
hi, you answer it wrong.
I am not asking about conditional login,
I need to know for a regular user who has logged in, how to make him access only web api for users, but not allow him to use web api for administrators.
it is role based access control, not login, may you locate a related expert to answer this? and please provide sample code.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @ dwang-4068,
I have reached out to the product team to ask if there is a recommended code sample for this scenario.
We don't have out-of-the-box support for RBAC in Azure AD B2C. Since users are using social identities where they sign up and create the accounts, it would be difficult for the admin to add their accounts to the app assigning the roles to their identities.
However, we do have examples for how to achieve something similar to RBAC using validation technical profiles. You can conditionally execute these technical profiles based on the userType (for example, Partner or Customer).
There are some samples in this repository that may also be helpful for your scenario. For instance, you can add users to Security Groups and check if the users are members of those groups, as documented here. (Example: Authorize by Group)
This will require a custom solution so I have reached out to the B2C team to see if they have a recommended guide for this. In the meantime, I recommend reviewing the examples in the official repository.
Adding onto what @Marilee Turscak-MSFT mentioned about Security Groups, I found a Stack Overflow post that leverages the API connectors Custom Policy (during sign-in), which might give you another perspective on how to resolve your issue.
I hope this helps!
Thank you for your time and patience throughout this issue.
Hi @dwang • You cannot use Role-based Authorization with Azure AD B2C as it utilizes IEF (Identity Experience Framework) to specify which attributes should be collected from the user(s) during sign-up and which application claims should be returned in the token after successful authentication.
Any roles that you specify using the App Registration blade are applicable and returned in token only when the authentication is done against standard Azure AD and not Azure AD B2C.
You should consider using specific attributes that are collected from the user(s) during Sign-up or inserted by RESTful API Connector or set by using Graph API patch calls. Then use the Attribute value to distinguish between the users who should get access to the API and who should not. Once done, you can use Claims-based Authorization.
Here is the only sample available that closely matches your requirement: How to secure a Web API built with ASP.NET Core using the Azure AD B2C. Rather than using scope-based authorization, you need to configure it for Claims-based Authorization as mentioned Here.