Add B2B Azure Directory Signup to B2C tenant

Question

We are trying to setup a link between our B2C tenant (which uses app registrations and custom policies, userflows) for registering and authenticating user, with an azure tenant from a customer.

As far as I've seen, in B2B tenants, there is the option to choose Azure Active Directory signup as an IDP provider. In the B2C tenant, I only see Microsoft Account as an IDP, which is not for business user login.

I couldn't find a way to setup Azure Active Directory Sign Up as IDP on our B2C tenant. Has someone just added this linkage using OpenID Provider and adding it manually? Or did you encounter similar situation and worked out another solution?

Thanks in advance for any hints! Best Vito

Answer 1

• Yes, you can add Azure Active Directory as an IDP to your Azure AD B2C tenant by adding Azure AD to the claims provider element in the ‘TrustFrameworkExtensions.xml’ file of your custom policy. To configure the same, kindly refer to the link below which explains in detail the actual configurations to be done in the above said file. The 'ClaimsProvider' element should look like the below: -

 <ClaimsProvider>
 <Domain>Contoso</Domain>
 <DisplayName>Login using Contoso</DisplayName>
 <TechnicalProfiles>
 <TechnicalProfile Id="AADContoso-OpenIdConnect">
  <DisplayName>Contoso Employee</DisplayName>
  <Description>Login with your Contoso account</Description>
  <Protocol Name="OpenIdConnect"/>
  <Metadata>
    <Item Key="METADATA">https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration</Item>
    <Item Key="client_id">00000000-0000-0000-0000-000000000000</Item>
    <Item Key="response_types">code</Item>
    <Item Key="scope">openid profile</Item>
    <Item Key="response_mode">form_post</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_ContosoAppSecret"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
    <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
    <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
    <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>

https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-custom-policy#configure-azure-ad-as-an-identity-provider-1

Ensure that after configuring as said in the link above, Azure AD is successfully communicated by Azure AD B2C. Also, update the domain name of your domain in the ‘ClaimsProvider’ element without the ‘.com’ for proper distinguishment.