Azure Active Directory 允许来自另一个租户的访问

huangapple go评论64阅读模式
英文:

Azure Active Directory Allowing access from another tenant

问题

我的组织目前正在使用Azure AD来管理所有员工和内部应用程序。我正在构建一个需要使用Azure AD进行身份验证的Web服务,但他们希望我使用一个单独的租户,以便客户用户不会与我们所有员工混在一起。他们希望我能够让一些精选的员工用户可以登录Web应用程序,但要使用他们在我们主要租户中的帐户。客户用户应该能够使用他们的电子邮件作为用户名,无论他们使用哪个电子邮件系统。客户用户还应该能够重置自己的密码。

我认为Azure B2C是答案,因为当我创建了一个B2C租户时,我能够使用来自员工租户的用户登录,还能够向任何电子邮件地址的外部用户发送电子邮件邀请。不幸的是,我无法找到一种方法来添加来自“外部Azure Active Directory”的其他用户。

如果我能设置一些外部提供者,比如Google、Facebook等,那将非常好,这似乎正是B2C所擅长的,但我似乎无法添加来自另一个Azure AD的用户。

是否有更好的解决方案来满足我的要求?

英文:

My organization is currently using Azure AD for all our employees and internal applications. I am building a web service which needs to use Azure AD for authentication but they want me to use a separate tenant so that customer users aren't all mixed in with all of our employees. They want me to make it so a few handpicked employee users can sign into the web app, but using their account from our main tenant. The customer users should be able to use their emails as their usernames, regardless of which email system they use. The customer users should also be able to reset their own passwords.

I thought that Azure B2C was the answer because when I created a B2C tenant, I was able to login using my user from the employee tenant as well as send email invites to external users at any email address. Unfortunately, I can't find a way to add another user from an External Azure Active Directory.

It would also be nice if I could setup some external providers, such as google, facebook, etc, which seems to be right up B2C's alley, but I can't seem to add users from another Azure AD

Is there a better solution to what I am doing here that meets my requirements?

答案1

得分: 1

以下是翻译好的内容:

> 也希望我可以设置一些外部提供商,比如Google、Facebook等,这似乎正是B2C的领域,但我似乎无法添加来自另一个Azure AD 的用户。

要允许特定的Azure AD组织进行登录,请查看以下步骤:

在AAD租户中创建一个Azure AD应用程序,并将重定向URI添加为 https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp

Azure Active Directory 允许来自另一个租户的访问

现在,转到Azure AD B2C租户以将Azure AD设置为身份提供商

选择Azure AD B2C -> 身份提供商 -> 新的OpenID Connect提供商

在元数据URL中添加 https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

输入Azure AD应用程序的ClientID、Client Secret。对于身份提供商声明映射,请查看以下内容并保存:

  • 用户ID: oid
  • 显示名称: name
  • 名字: given_name
  • 姓氏: family_name
  • 电子邮件: email

Azure Active Directory 允许来自另一个租户的访问

创建了一个Azure AD B2C用户流程,并选择身份提供商,然后保存如下:

Azure Active Directory 允许来自另一个租户的访问

我在AAD租户中创建了一个Azure AD用户,如下所示:

Azure Active Directory 允许来自另一个租户的访问

运行用户流程:

Azure Active Directory 允许来自另一个租户的访问

选择Azure AD以使用AAD用户帐户登录

Azure Active Directory 允许来自另一个租户的访问

使用Azure AD用户进行登录:

Azure Active Directory 允许来自另一个租户的访问

用户已成功登录,如下所示

Azure Active Directory 允许来自另一个租户的访问

当我前往Azure AD B2C -> 用户 -> 上述用户已添加为成员时,如下所示:

Azure Active Directory 允许来自另一个租户的访问

否则,您可以使用Azure AD B2B协作,允许外部身份提供商(如Facebook、Google)并允许用户使用其现有帐户进行登录。您还可以邀请用户(来自其他组织)来访问应用程序。

Azure Active Directory 允许来自另一个租户的访问

参考资料:

Azure AD B2B协作概述 - Microsoft入门

英文:

> It would also be nice if I could setup some external providers, such as google, facebook, etc, which seems to be right up B2C's alley, but I can't seem to add users from another Azure AD

To allow sign-in for the specific Azure AD organization, check the below:

Create an Azure AD Application in the AAD Tenant and add the redirect URI as https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp

Azure Active Directory 允许来自另一个租户的访问

Now, Go to Azure AD B2C Tenant to add Azure AD as the Identity Provider:

Select Azure AD B2C -> Identity Providers -> New OpenID Connect provider

In the Metadata URL, add https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

Enter the ClientID, Client Secret of the Azure AD Application. And for Identity provider claims mapping, check the below and Save:

  • User ID: oid
  • Display name: name
  • Given name: given_name
  • Surname: family_name
  • Email: email

Azure Active Directory 允许来自另一个租户的访问

Created an Azure AD B2C user flow, and select the Identity Provider and save like below:

Azure Active Directory 允许来自另一个租户的访问

I created an Azure AD User in AAD Tenant like below:

Azure Active Directory 允许来自另一个租户的访问

Run the user flow:

Azure Active Directory 允许来自另一个租户的访问

Select Azure AD to sign in with AAD user account:

Azure Active Directory 允许来自另一个租户的访问

Sign-in with the Azure AD User:

Azure Active Directory 允许来自另一个租户的访问

The user gets signed in successfully like below:

Azure Active Directory 允许来自另一个租户的访问

When I go to Azure AD B2C -> Users -> The above user is added as the Member like below:

Azure Active Directory 允许来自另一个租户的访问

Otherwise, you can make use of Azure AD B2B collaboration which allows external identity providers such as Facebook, Google and will allow users to sign-in with their existing accounts. And you can also invite users (from other organization) to access the applications.

Azure Active Directory 允许来自另一个租户的访问

Reference:

Azure AD B2B collaboration overview - Microsoft Entra

huangapple
  • 本文由 发表于 2023年6月16日 06:43:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76485935.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定