Create AAD B2C Instance

PreviousResource Group NextIdentity Experience Framework

Last updated 11 months ago

Was this helpful?

Create AAD B2C Instance

Create a Tenant

IMPORTANT: Before starting - Add the Microsoft.AzureActiveDirectory resource provider to your subscription by following from Microsoft.

Navigate to your and click Create a tenant at the top of the screen.

The Create a tenant screen will be shown.

Select the Azure Active Directory (B2C) as your choice. - Click Next

In the Configuration Section choose:

Directory Details
- Organization name * : Sharethrift B2C
- Initial domain name * : sharethriftb2c<<some random number>>
- Country/Region: United States
Subscription
- Subscription: <<your subscription>>
- Resource Group: rg-sharethrift

Click Review + Create --> Create

Switch to the new Directory by clicking your name in the upper right corner of the screen and select Sharethift B2C - if you don't see it, reload the webpage.

App Registration for Partner Portal

From the home page, search for and click on "Azure AD B2C"

Choose App registrations in the menu on the left pane under Manage.

Click New registration at the top

Name: <<app-name>>
Supported account types: Accounts in any identity provider or organizational directory (for authenticating users with user flows)
Redirect URI:
- Type Dropdown: Single-page application (SPA)
- URL: http://localhost:<<port-number>>
  <<port-number>> corresponds to the port that the app will run on locally
Permissions: (leave default values set as-is)
Click Register

App Registration for Programmatic Account Management

Choose App Registrations in the menu on the left.

Choose New registration

Name: Sharethrift Account Management
Supported account types: Accounts in this organizational directory only (Sharethrift B2C only - Single Tenant)
Redirect URI:
- Type Dropdown: Public client/native (mobile & desktop)
- URL: http://localhost:4000
Permissions: (leave default values set as-is)
Click Register (navigate to new app)

Add Key to App Registration

Select Certificates & secrets in menu to left under the Manage category

Under Client secrets choose New client secret (a dialog will appear):

Description: programmatic-account-management
Expires: Custom
Start: <today>
End: <max expiration date shown>

Once created you will see "Value" copy this someplace safe, you will not be able to reference this value after seeing it at this time.

Add API Permission

Select API permissions under manage on menu on left under Manage

Click + Add a permission (the Request API permissions blade shows)

Select Microsoft APIs > Microsoft Graph

Choose Application Permissions

Type User.ReadWrite.All. Check User.ReadWrite.All from the User dropdown

Click Add Permissions at bottom of screen.

Click Grant Admin consent for Sharethrift B2C

Grant Application Ability to manage accounts

The Assignments for User administrator is displayed.

Click Add assignments (the add assignments blade will show)

Search for Sharethrift Account Management, select it and click Add

App Registration for IdentityExperienceFramework

In menu on left under Manage choose App registrations

Click New registration at the top of the screen

Name: IdentityExperienceFramework
Supported account types: Accounts in this organizational directory only (Sharethrift B2C only - Single Tenant)
Redirect URI:
- Type Dropdown: Web
- URL: https://<<your-tenant-name>>.b2clogin.com/<<your-tenant-name>>.onmicrosoft.com (e.g.
  - https://sharethriftb2c.b2clogin.com/sharthriftb2c.onmicrosoft.com
Click Register (you'll automatically navigate to new app)

In menu on left under Manage, select Expose an API

Add a scope (accept the default random name), Save and continue

Click Add a scope
Scope name: user_impersonation
Admin consent display name: Access IdentityExperienceFramework
Admin consent description: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.
State: Enabled
Click Add Scope:

Navigate back to the App Registrations under the Experience Framework by clicking on "identity experience framework" at the top of the screen

App Registration for ProxyIdentityExperienceFramework

In menu on left under Manage choose App registrations

Click New registration at the top of the screen

Name: ProxyIdentityExperienceFramework
Supported account types: Accounts in this organizational directory only (Sharethrift B2C only - Single Tenant)
Redirect URI:
- Type Dropdown: Public client/native (mobile & desktop)
- URL: myapp://auth
Permissions: (leave values as their defaults)
Click Register (you'll automatically navigate to new app)

In menu on left, under Manage, choose Authentication

In Advanced Settings -> Allow Public Flows - Choose Yes

Click Save at top of screen

In menu on left, under Manage choose API Permissions

Click Add a permission, the Request API permissions blade shows:

Select an API: My APIs

Choose IdentityExperienceFramework

Choose : Delegated permissions

Select Permissions: check user_impersonation

Click Add Permissions

Click Grant admin consent for Sharethrift B2C, a dialog will pop asking you to confirm, click Yes

Identity Experience Framework

The Identity Experience Framework blade will be shown.

Create Policy keys

You'll see B2C_1A_ automatically prefixed to whatever you add, don't freak out, it's all good.

Navigate to the Identity Experience Framework section. In the menu on the left under Manage select Policy keys

Click Add, the popup blade on the right will show:

Options: Generate
Name: TokenSigningKeyContainer
Key type: RSA
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Signature
Click Create

Add another key:

Click Add, the popup blade on the right will show:

Options: Generate
Name: TokenEncryptionKeyContainer
Key type: RSA
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Signature
Click Create

Add another key:

Click Add, the popup blade on the right will show:

Options: Manual
Name: RestApiUsername
Secret: <<username>> (set to something secret )
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Encryption
Click Create

Add another key:

Click Add, the popup blade on the right will show:

Options: Manual
Name: RestApiPassword
Secret: <<password>> (set to something secret and strong)
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Encryption
Click Create

PreviousResource Group NextIdentity Experience Framework

Last updated 11 months ago

Was this helpful?

Create a Tenant

IMPORTANT: Before starting - Add the Microsoft.AzureActiveDirectory resource provider to your subscription by following from Microsoft.

Navigate to your and click Create a tenant at the top of the screen.

The Create a tenant screen will be shown.

Select the Azure Active Directory (B2C) as your choice. - Click Next

In the Configuration Section choose:

Directory Details
- Organization name * : Sharethrift B2C
- Initial domain name * : sharethriftb2c<<some random number>>
- Country/Region: United States
Subscription
- Subscription: <<your subscription>>
- Resource Group: rg-sharethrift

Click Review + Create --> Create

Switch to the new Directory by clicking your name in the upper right corner of the screen and select Sharethift B2C - if you don't see it, reload the webpage.

App Registration for Partner Portal

From the home page, search for and click on "Azure AD B2C"

Choose App registrations in the menu on the left pane under Manage.

Click New registration at the top

Name: <<app-name>>
Supported account types: Accounts in any identity provider or organizational directory (for authenticating users with user flows)
Redirect URI:
- Type Dropdown: Single-page application (SPA)
- URL: http://localhost:<<port-number>>
  <<port-number>> corresponds to the port that the app will run on locally
Permissions: (leave default values set as-is)
Click Register

App Registration for Programmatic Account Management

Choose App Registrations in the menu on the left.

Choose New registration

Name: Sharethrift Account Management
Supported account types: Accounts in this organizational directory only (Sharethrift B2C only - Single Tenant)
Redirect URI:
- Type Dropdown: Public client/native (mobile & desktop)
- URL: http://localhost:4000
Permissions: (leave default values set as-is)
Click Register (navigate to new app)

Add Key to App Registration

Select Certificates & secrets in menu to left under the Manage category

Under Client secrets choose New client secret (a dialog will appear):

Description: programmatic-account-management
Expires: Custom
Start: <today>
End: <max expiration date shown>

Once created you will see "Value" copy this someplace safe, you will not be able to reference this value after seeing it at this time.

Add API Permission

Select API permissions under manage on menu on left under Manage

Click + Add a permission (the Request API permissions blade shows)

Select Microsoft APIs > Microsoft Graph

Choose Application Permissions

Type User.ReadWrite.All. Check User.ReadWrite.All from the User dropdown

Click Add Permissions at bottom of screen.

Click Grant Admin consent for Sharethrift B2C

Grant Application Ability to manage accounts

Navigate to , search for "User administrator" and click on it select it.

The Assignments for User administrator is displayed.

Click Add assignments (the add assignments blade will show)

Search for Sharethrift Account Management, select it and click Add

App Registration for IdentityExperienceFramework

In menu on left under Manage choose App registrations

Click New registration at the top of the screen

Name: IdentityExperienceFramework
Supported account types: Accounts in this organizational directory only (Sharethrift B2C only - Single Tenant)
Redirect URI:
- Type Dropdown: Web
- URL: https://<<your-tenant-name>>.b2clogin.com/<<your-tenant-name>>.onmicrosoft.com (e.g.
  - https://sharethriftb2c.b2clogin.com/sharthriftb2c.onmicrosoft.com
Click Register (you'll automatically navigate to new app)

In menu on left under Manage, select Expose an API

Add a scope (accept the default random name), Save and continue

Click Add a scope
Scope name: user_impersonation
Admin consent display name: Access IdentityExperienceFramework
Admin consent description: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.
State: Enabled
Click Add Scope:

Navigate back to the App Registrations under the Experience Framework by clicking on "identity experience framework" at the top of the screen

App Registration for ProxyIdentityExperienceFramework

In menu on left under Manage choose App registrations

Click New registration at the top of the screen

Name: ProxyIdentityExperienceFramework
Supported account types: Accounts in this organizational directory only (Sharethrift B2C only - Single Tenant)
Redirect URI:
- Type Dropdown: Public client/native (mobile & desktop)
- URL: myapp://auth
Permissions: (leave values as their defaults)
Click Register (you'll automatically navigate to new app)

In menu on left, under Manage, choose Authentication

In Advanced Settings -> Allow Public Flows - Choose Yes

Click Save at top of screen

In menu on left, under Manage choose API Permissions

Click Add a permission, the Request API permissions blade shows:

Select an API: My APIs

Choose IdentityExperienceFramework

Choose : Delegated permissions

Select Permissions: check user_impersonation

Click Add Permissions

Click Grant admin consent for Sharethrift B2C, a dialog will pop asking you to confirm, click Yes

Identity Experience Framework

Navigate to , in the menu one the left under the Polices section choose Identity Experience Framework.

The Identity Experience Framework blade will be shown.

Create Policy keys

You'll see B2C_1A_ automatically prefixed to whatever you add, don't freak out, it's all good.

Navigate to the Identity Experience Framework section. In the menu on the left under Manage select Policy keys

Click Add, the popup blade on the right will show:

Options: Generate
Name: TokenSigningKeyContainer
Key type: RSA
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Signature
Click Create

Add another key:

Click Add, the popup blade on the right will show:

Options: Generate
Name: TokenEncryptionKeyContainer
Key type: RSA
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Signature
Click Create

Add another key:

Click Add, the popup blade on the right will show:

Options: Manual
Name: RestApiUsername
Secret: <<username>> (set to something secret )
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Encryption
Click Create

Add another key:

Click Add, the popup blade on the right will show:

Options: Manual
Name: RestApiPassword
Secret: <<password>> (set to something secret and strong)
Set activation date: <leave unchecked>
Set expiration date: <leave unchecked>
Key usage: Encryption
Click Create