Authentication is crucial for modern web applications, ensuring secure user access while keeping the experience smooth. When building a .NET web application for both internal users (like employees) and external users (such as customers or partners), using Azure Active Directory (Azure AD) and Azure AD B2C offers a strong and scalable solution.
Azure AD is made for enterprise authentication, providing features like single sign-on (SSO), multi-factor authentication (MFA), and integration with Microsoft services. It's perfect for managing access for internal users. On the other hand, Azure AD B2C is a customer identity and access management service that lets external users sign up, log in, and manage their profiles using different identity providers like Microsoft, Google, and Facebook.
In this guide, we will go through the steps to configure Azure AD and Azure AD B2C on the Azure portal and integrate them into a .NET web application. The aim is to provide clear, practical steps for setting up authentication for both internal and external users, allowing you to deliver a secure and user-friendly solution without unnecessary complexity.
Whether you're creating a corporate intranet or a customer-facing portal, this guide will help you establish a secure and reliable authentication foundation using Azure AD and Azure AD B2C. Let's dive into the details!
You must have two tenants: one for Azure Active Directory B2C and one for Azure AD. I suggest working on different browser tabs for ease of use and naming the tenants accordingly.
Step 1: Create Azure AD B2C Tenant
Access the Azure portal and select "Azure Active Directory B2C" from the Identity category.
Click on "Create" and fill in the necessary details, such as organization name, initial domain name, and country/region.
Choose your subscription type and select or create a resource group for the tenant
Step 2: Create Azure AD/Entra ID Tenant for Internal Users
- Follow similar steps to create a separate Azure AD/Entra ID tenant for internal users, ensuring it is appropriately named for easy identification.
Step 3: Register an Application in Azure AD
Access App Registrations: In the Azure portal, search for and select "Microsoft Entra ID." In the left menu under "Manage," select "App registrations."
Create New Registration: Click on "+ New registration."
Application Details:
Name: Enter a name for your application, such as "demo1"
Supported Account Types: Accept the default selection of "Accounts in this organizational directory only (Default Directory only - Single tenant)."
Redirect URI: Select "Web" and enter the URL in lowercase, replacing demoexternalusersbydheeraj with your Azure AD B2C tenant's name, like https://demoexternalusersbydheeraj.b2clogin.com/demoexternalusersbydheeraj.onmicrosoft.com/oauth2/authresp.
Register Application: Click "Register" and record the Application (client) ID for use in a later step.
Create Client Secret: Navigate to "Certificates & secrets," then select "New client secret."
Description and Expiration: Enter a description for the secret, select an expiration period, and click "Add."
Record Secret Value: Record the value of the secret for use in a later step.
Tip: Use the gear icon at top-right of the portal to switch to different tenants.
Step 4: Configure Microsoft Entra ID as an Identity Provider
Access Azure AD B2C: Choose "All services" in the top-left corner of the Azure portal, then search for and select "Azure AD B2C."
Identity Providers: Select "Identity providers," and then click on "New OpenID Connect provider."
Provider Details:
Name: Enter a name for the provider, such as "internal users login"
Metadata URL: Enter the following URL, replacing
{tenant}with the domain name of your Microsoft Entra tenant:Client ID: Enter the application ID that you previously recorded.
Client Secret: Enter the client secret value that you previously recorded.
Scope: Enter
openid profile.
Response Settings: Leave the default values for "Response type" and "Response mode."
Domain Hint : Optional
Claims Mapping: Under "Identity provider claims mapping," select the following claims:
User ID:
oidDisplay Name:
nameGiven Name:
given_nameSurname:
family_nameEmail:
email
Save Configuration: Click "Save" to apply the settings.
Add Microsoft Entra Identity Provider to a User Flow:
User Flows: In your Azure AD B2C tenant, select "User flows."
Select User Flow: Click the user flow to which you want to add the Microsoft Entra identity provider.
Identity Providers: Under "Settings," select "Identity providers."
Custom Identity Providers: Under "Custom identity providers," select "Contoso Microsoft Entra ID."
Save Configuration: Click "Save" to apply the changes.
Create a .NET MV App in Visual Studio.
Select Microsoft Identity Platform as the authentication type when setting up the app. This will open a dialog box that allows you to connect to your Microsoft account and displays all existing tenants.
Choose the B2C tenant, create the application, and follow the steps to complete the setup.
This process will automatically update the program.cs file and the appsettings.json file with details about the user flow and the client of the app created in this tenant.To confirm, go to the Azure portal to check if the app is created and the redirect URLs are added. Once confirmed, run the app locally, and you should see a login screen with both external and internal login options.
In conclusion, setting up Azure AD and Azure AD B2C provides a secure and user-friendly authentication solution for both internal and external users. By following these steps, you can ensure a reliable authentication foundation for your .NET web applications.