How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management

Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your API Management developer portal.

In this tutorial, you'll learn the configuration required in your API Management service to integrate with Azure Active Directory B2C. As noted later in this article, if you are using the deprecated legacy developer portal, some steps will differ.

For an overview of options to secure the developer portal, see Authentication and authorization in API Management.

Important

  • This article has been updated with steps to configure an Azure AD B2C app using the Microsoft Authentication Library (MSAL).
  • If you previously configured an Azure AD B2C app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you migrate to MSAL.

Prerequisites

Availability

Important

This feature is available in the Premium, Standard and Developer tiers of API Management.

Configure sign up and sign in user flow

In this section, you'll create a user flow in your Azure Active Directory B2C tenant containing both sign up and sign in policies. For detailed steps, see Create user flows and custom policies in Azure Active Directory B2C.

  1. In the Azure portal, access your Azure Active Directory B2C tenant.
  2. Under Policies, select User flows > + New user flow.
  3. On the Create a user flow page, select the Sign up and sign in user flow.
  4. Provide the following information:
    1. Enter a unique name for the user flow.
    2. In Identity providers, select Email signup.
    3. In User attributes and token claims, select the attributes and claims needed for the API Management developer portal (not needed for the legacy developer portal).
      • Attributes: Given Name, Surname

      • Claims: Given Name, Surname, Email Addresses, User’s ObjectID

        Application claims

  5. Select Create.

Configure identity provider for developer portal

  1. In a separate Azure portal tab, navigate to your API Management instance.

  2. Under Developer portal, select Identities > + Add.

  3. In the Add identity provider page, select Azure Active Directory B2C. Once selected, you'll be able to enter other necessary information.

    • In the Client library dropdown, select MSAL.
    • To add other settings, see steps later in the article.
  4. In the Add identity provider window, copy the Redirect URL.

    Copy redirect URL

  5. Return to the browser tab for your Azure Active Directory B2C tenant in the Azure portal. Select App registrations > + New registration.

  6. In the Register an application page, enter your application's registration information.

    • In the Name section, enter an application name of your choosing.
    • In the Supported account types section, select Accounts in any identity provider or organizational directory (for authenticating users with user flows). For more information, see Register an application.
    • In Redirect URI, select Single-page application (SPA) and paste the redirect URL you saved from a previous step.
    • In Permissions, select Grant admin consent to openid and offline_access permissions.
    • Select Register to create the application.

    Register a new application

  7. On the app Overview page, find the Application (client) ID and copy the value to the clipboard.

    Application ID

  8. Switch back to the API Management Add identity provider page and paste the ID into the Client Id text box.

  9. Switch back to the B2C app registration. Select Certificates & secrets > + New client secret. Create client secret

    • In the Add a client secret page, enter a Description and select Add.
    • Record the key in a safe location. This secret value is never displayed again after you leave this page.
  10. Switch back to the API Management Add identity provider page, and paste the key into the Client secret text box.

  11. Switch back to the B2C app registration. In the left menu, under Manage, select Authentication.

    • Under Implicit grant and hybrid flows, select both the Access tokens and ID tokens check boxes.
    • Select Save.
  12. Switch back in the API Management Add identity provider page.

    • In Signin tenant, specify the domain name of the Azure Active Directory B2C tenant.

    • The Authority field lets you control the Azure Active Directory B2C login URL to use. Set the value to <your_b2c_tenant_name>.b2clogin.com.

    • Specify the Signup Policy and Signin Policy from the B2C tenant policies.

    • Optionally provide the Profile Editing Policy and Password Reset Policy.

      Active Directory B2c identity provider configuration

  13. After you've specified the desired configuration, select Add.

  14. Republish the developer portal for the Azure AD B2C configuration to take effect. In the left menu, under Developer portal, select Portal overview > Publish.

After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.

Migrate to MSAL

If you previously configured an Azure AD B2C app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management.

Update Azure AD B2C app for MSAL compatibility

For steps, see Switch redirect URIs to the single-page application type.

Update identity provider configuration

  1. In the left menu of your API Management instance, under Developer portal, select Identities.
  2. Select Azure Active Directory B2C from the list.
  3. In the Client library dropdown, select MSAL.
  4. Select Update.
  5. Republish your developer portal.

Developer portal - add Azure Active Directory B2C account authentication

Important

You need to republish the developer portal when you create or update Azure Active Directory B2C configuration settings for the changes to take effect.

In the developer portal, sign-in with Azure Active Directory B2C is possible with the Sign-in button: OAuth widget. The widget is already included on the sign-in page of the default developer portal content.

  1. To sign in by using Azure Active Directory B2C, open a new browser window and go to the developer portal. Select Sign in.

  2. On the Sign in page, select Azure Active Directory B2C.

    Sign in to developer portal

  3. You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address in the Active Directory B2C tenant

When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.

Sign in to developer portal complete

Although a new account is automatically created whenever a new user signs in with Azure Active Directory B2C, you may consider adding the same widget to the signup page.

The Sign-up form: OAuth widget represents a form used for signing up with OAuth.

Legacy developer portal - how to sign up with Azure Active Directory B2C

Note

The following documentation content is about the deprecated developer portal. You can continue to use it, as per usual, until its retirement in October 2023, when it will be removed from all API Management services. The deprecated portal will only receive critical security updates. Refer to the following articles for more details:

Note

To properly integrate B2C with the legacy developer portal, use standard v1 user flows, in combination with enabling password reset before signing up/signing into a developer account using Azure Active Directory B2C.

  1. Open a new browser window and go to the legacy developer portal. Click the Sign up button.

    Sign up in legacy developer portal

  2. Choose to sign up with Azure Active Directory B2C.

    Sign up  with Azure Active Directory B2C

  3. You're redirected to the signup policy you configured in the previous section. Choose to sign up by using your email address or one of your existing social accounts.

    Note

    If Azure Active Directory B2C is the only option enabled on the Identities tab in the Azure portal, you'll be redirected to the signup policy directly.

    Sign up options in legacy developer portal

    When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.

Next steps