英文:
Azure Active Directory Allowing access from another tenant
问题
我的组织目前正在使用Azure AD来管理所有员工和内部应用程序。我正在构建一个需要使用Azure AD进行身份验证的Web服务,但他们希望我使用一个单独的租户,以便客户用户不会与我们所有员工混在一起。他们希望我能够让一些精选的员工用户可以登录Web应用程序,但要使用他们在我们主要租户中的帐户。客户用户应该能够使用他们的电子邮件作为用户名,无论他们使用哪个电子邮件系统。客户用户还应该能够重置自己的密码。
我认为Azure B2C是答案,因为当我创建了一个B2C租户时,我能够使用来自员工租户的用户登录,还能够向任何电子邮件地址的外部用户发送电子邮件邀请。不幸的是,我无法找到一种方法来添加来自“外部Azure Active Directory”的其他用户。
如果我能设置一些外部提供者,比如Google、Facebook等,那将非常好,这似乎正是B2C所擅长的,但我似乎无法添加来自另一个Azure AD的用户。
是否有更好的解决方案来满足我的要求?
英文:
My organization is currently using Azure AD for all our employees and internal applications. I am building a web service which needs to use Azure AD for authentication but they want me to use a separate tenant so that customer users aren't all mixed in with all of our employees. They want me to make it so a few handpicked employee users can sign into the web app, but using their account from our main tenant. The customer users should be able to use their emails as their usernames, regardless of which email system they use. The customer users should also be able to reset their own passwords.
I thought that Azure B2C was the answer because when I created a B2C tenant, I was able to login using my user from the employee tenant as well as send email invites to external users at any email address. Unfortunately, I can't find a way to add another user from an External Azure Active Directory.
It would also be nice if I could setup some external providers, such as google, facebook, etc, which seems to be right up B2C's alley, but I can't seem to add users from another Azure AD
Is there a better solution to what I am doing here that meets my requirements?
答案1
得分: 1
以下是翻译好的内容:
> 也希望我可以设置一些外部提供商,比如Google、Facebook等,这似乎正是B2C的领域,但我似乎无法添加来自另一个Azure AD 的用户。
要允许特定的Azure AD组织进行登录,请查看以下步骤:
在AAD租户中创建一个Azure AD应用程序,并将重定向URI添加为 https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
现在,转到Azure AD B2C租户以将Azure AD设置为身份提供商:
选择Azure AD B2C -> 身份提供商 -> 新的OpenID Connect提供商
在元数据URL中添加 https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
输入Azure AD应用程序的ClientID、Client Secret。对于身份提供商声明映射,请查看以下内容并保存:
- 用户ID: oid
- 显示名称: name
- 名字: given_name
- 姓氏: family_name
- 电子邮件: email
创建了一个Azure AD B2C用户流程,并选择身份提供商,然后保存如下:
我在AAD租户中创建了一个Azure AD用户,如下所示:
运行用户流程:
选择Azure AD以使用AAD用户帐户登录:
使用Azure AD用户进行登录:
用户已成功登录,如下所示:
当我前往Azure AD B2C -> 用户 -> 上述用户已添加为成员时,如下所示:
否则,您可以使用Azure AD B2B协作,允许外部身份提供商(如Facebook、Google)并允许用户使用其现有帐户进行登录。您还可以邀请用户(来自其他组织)来访问应用程序。
参考资料:
Azure AD B2B协作概述 - Microsoft入门
英文:
> It would also be nice if I could setup some external providers, such as google, facebook, etc, which seems to be right up B2C's alley, but I can't seem to add users from another Azure AD
To allow sign-in for the specific Azure AD organization, check the below:
Create an Azure AD Application in the AAD Tenant and add the redirect URI as https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
Now, Go to Azure AD B2C Tenant to add Azure AD as the Identity Provider:
Select Azure AD B2C -> Identity Providers -> New OpenID Connect provider
In the Metadata URL, add https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Enter the ClientID, Client Secret of the Azure AD Application. And for Identity provider claims mapping, check the below and Save:
- User ID: oid
- Display name: name
- Given name: given_name
- Surname: family_name
- Email: email
Created an Azure AD B2C user flow, and select the Identity Provider and save like below:
I created an Azure AD User in AAD Tenant like below:
Run the user flow:
Select Azure AD to sign in with AAD user account:
Sign-in with the Azure AD User:
The user gets signed in successfully like below:
When I go to Azure AD B2C -> Users -> The above user is added as the Member like below:
Otherwise, you can make use of Azure AD B2B collaboration which allows external identity providers such as Facebook, Google and will allow users to sign-in with their existing accounts. And you can also invite users (from other organization) to access the applications.
Reference:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论