Azure AD B2C Deployment Procedures

Azure AD B2C is used as the identity provider for federated authentication, providing a single sign-on experience in Dynamics 365 Portals and Connect 365. This documentation walks through the administrative steps to provision and configure an Azure AD B2C tenant, and configure Dynamics 365 Portals and Connect 365 to use B2C as their common identity provider.

Contents

Azure B2C Tenant Provisioning

This section covers creating a new Azure AD B2C tenant in the Azure Portal.

  1. Login to https://portal.azure.com with a global administrator account.
  2. Click New

  3. Type in Azure Active Directory B2C and select the drop down value.

  4. Click Create.

  5. Click Create a new Azure AD B2C Tenant.

  6. Enter an organization name, domain name, and region, then click Create.

  7. Record the domain name for future reference.
    B2C tenant domain name e.g. contoso.onmicrosoft.com
  8. Click Link an existing Azure B2C Tenant to my Azure subscription.
  9. Fill out the form with the appropriate values.

  10. Locate and click on the B2C tenant from its associated resource group.

  11. Click on Azure AD B2C Settings to open the B2C tenant.

Azure AD B2C Tenant Configuration

This section covers the creation and configuration of an application registration to enable single sign-on across the Dynamics 365 Portal and the Connect 365 web application.

  1. Click the Add button on the Applications tab.

  2. Enter the following values for the new application. Use the assigned microsoftcrmportals.com domain name in the reply URLs. Click create.
    Name e.g. Dynamics 365 Portal
    Include web app Yes
    Allow implicit flow Yes
    Reply URL - Portal e.g. https://contoso.microsoftcrmportals.com/signin-b2c
    Reply URL - Connect 365

    e.g. https://contoso.microsoftcrmportals.com/b2c-silent-signin/

    When a site has multiple languages, use the URL of the primary language.

    e.g.https://contoso.microsoftcrmportals.com/en-US/b2c-silent-signin/

    App ID URI e.g. portal

  3. Record the following B2C Application values for future reference:
    B2C Application Reply URL - Portal e.g. https://contoso.microsoftcrmportals.com/signin-b2c
    B2C Application Reply URL - Connect 365

    e.g. https://contoso.microsoftcrmportals.com/b2c-silent-signin/

    When a site has multiple languages, use the URL of the primary language.

    e.g.https://contoso.microsoftcrmportals.com/en-US/b2c-silent-signin/

    B2C Application App ID URI e.g. https://contoso.onmicrosoft.com/portal
  4. Open the newly created Application

  5. Record the Application ID for future reference:

    B2C Application ID e.g. 8075a5ce-2538-4bd4-b61d-1e9349ad923e
  6. Create a new published scope

    Scope all
    Description all items

    Record the scope value for future reference:

    B2C Application Scope e.g. all

    Add a new API access rule

    API Dynamics 365 Portal
    Select Scopes  all items (all)

    Create identity providers (optional)

    https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview

    Add identity providers (optional)

    Additional social providers aside from local accounts may be added if desired. Not all providers are currently supported, please refer to the following categories of support:

    Supported providers:

    1. Local Accounts
    2. Facebook
    3. Google
    4. LinkedIn

    Unsupported providers (due to technical limitations):

    1. Amazon
    2. Microsoft Account
    3. Twitter

    Untested providers:

    1. Weibo
    2. QQ
    3. WeChat

    Create sign-up or sign-in policy

  7. Click the Add button on the Sign-up or sign-in policies tab.

  8. Enter a name for the sign-up or sign-in policy, such as Default.

  9. Select the desired identity providers. Instructions for creating additional identity providers besides the built-in Local Account identity provider are available at https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview.

  10. Click the Sign-up attributes tab and select the following minimum attributes:
    • Email Address
    • Given Name
    • Surname

  11. Click the Application claims tab and select the following minimum required claims:
    • Email Addresses
    • Given Name
    • Identity Provider
    • Surname
    • User is new
    • User’s Object ID

  12. Click Create to save all values

  13. Record the generated policy name for future reference. For example, entering a policy name of ‘Default’ becomes the generated name ‘B2C_1_Default’.

    B2C Sign-up or Sign-in Policy Name e.g. B2C_1_Default
  14. Click on the newly created policy, for example B2C_1_Default.

  15. Click Edit

  16. Open token, session & SSO config

  17. Update and/or validate the following values are set as follows. The following documentation can be referenced for additional information: https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/azure-ad-b2c.
    Access & ID token lifetimes

    The duration (minutes) tokens remain valid. Choose a value that will be the same or longer than the portal session duration defined in the site setting Authentication/ApplicationCookie/ExpireTimeSpan to ensure users can access Connect 365 functionality for the entire duration of their portal sign-in session.

    For example, a value of 240 equates to 4 hours.

    Issuer (iss) claim Choose the claim that begins with https://login.microsoftonline.com/tfp/
    Claim representing policy ID tfp
    Single sign-on configuration Tenant

    Click OK, then save.

  18. Click the policy metadata endpoint hyperlink to obtain the issuer URL.

    Please ensure the login.microsoftonline.com option is selected prior to clicking the hyperlink. Support for the b2clogin.com domain is in the process of being added in v1.4.


    A json string will be displayed in the web browser. Copy the issuer.

  19. Record the policy issuer for future reference.
    B2C Sign-up / Sign-in policy issuer e.g. https://login.microsoftonline.com/tfp/30da4020-68e4-4530-ac7a-a0f8aecb0cc2/b2c_1_default/v2.0/

Facebook Login App Settings

To setup Facebook as an identity provider, refer to the Microsoft documentation Set up sign-up and sign-in with a Facebook account using Azure Active Directory B2C. Supplementary information to configure the application is as follows:

v1.3+

When using the login.microsoftonline.com domain, use the following Valid OAuth Redirect URIs values when configuring the Facebook app settings:

  1. e.g. https://login.microsoftonline.com/te/30da4020-68e4-4530-ac7a-a0f8aecb0cc2/oauth2/authresp
  2. e.g. https://login.microsoftonline.com/te/contoso.onmicrosoft.com/oauth2/authresp

Substitute the values between /te/ and /oauth/ with the Tenant ID and domain of the B2C tenant in the respective URIs.

v1.4+

When using the b2clogin.com domain, use the following Valid OAuth Redirect URIs values when configuring the Facebook app settings:

  • INFORMATION TBD

Dynamics 365 Portal Site Settings

Create site settings with the following values:

Site Settings Value
Authentication/OpenIdConnect/B2C/Authority

Enter the previously recorded value B2C Sign-up / Sign-in policy issuer.

e.g. https://login.microsoftonline.com/tfp/30da4020-68e4-4530-ac7a-a0f8aecb0cc2/b2c_1_default/v2.0/

Authentication/OpenIdConnect/B2C/Caption The login button text in the portal e.g. Azure AD B2C
Authentication/OpenIdConnect/B2C/ClientId

Enter the previously recorded value B2C Application ID.

e.g. 8075a5ce-2538-4bd4-b61d-1e9349ad923e

Authentication/OpenIdConnect/B2C/ExternalLogoutEnabled

This setting is optional but is highly recommended to set it to true to logout from Azure AD B2C as well as the portal when clicking the logout button in the portal.

Authentication/OpenIdConnect/B2C/RedirectUri

Enter the previously recorded value B2C Application Reply URL - Portal.

e.g. https://contoso.microsoftcrmportals.com/signin-b2c

Authentication/OpenIdConnect/B2C/RegistrationClaimsMapping

Enter a list of values to map the claims to fields on the contact record. For example, for the given name and surname claims to be stored in the firstname and lastname fields on the contact record

e.g. firstname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,lastname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Reference:

Authentication/ApplicationCookie/ExpireTimeSpan

The duration users remain signed in to the portal after authenticating. Choose a value that will be the same or less than the B2C policy's Access & ID token lifetimes value to ensure users can access Connect 365 functionality for the entire duration of their portal sign-in session.

e.g. a value of 04:00:00 equates to 4 hours.

Authentication/ApplicationCookie/SlidingExpiration

false

Note: the value false is used to prevent a portal sign-in session from extending beyond the duration of the B2C authentication session that is shared with Connect 365.

Authentication/OpenIdConnect/B2C/AllowContactMappingWithEmail

This setting is optional. When used, it will automatically associate signed-in users who have already verified their email address through B2C to an existing contact record with the same email address.

Reference:

true

Connect 365 Portals Web Page

You must create the web page referenced in B2C Application Reply URL - Connect 365 above, with the following values:

Field Value Notes
Name B2C Silent Sign-in This can be any name you prefer.
Parent Page Home This can be any value you prefer, but the final url of the page must match the value of B2C Application Reply URL - Connect 365
Partial URL b2c-silent-signin This can be any value you prefer, but the final url of the page must match the value of B2C Application Reply URL - Connect 365
Page Template Blank Page You can use any Page Template you prefer, but it is recommended to use as minimal a page template as possible. Users will never visually see this web page.
Copy (HTML) {% include 'Connect 365 - Authentication' %} This references the Web Template created in the next step.

Dynamics 365 Portals supports multiple languages, and web pages have one or more localized content pages. The Liquid code needs to be entered into one of the localized content records associated to the web page:

Connect 365 Portals Web Template

You must create the web template referenced in your Web Page above, with the following values:

Field Value
Name Connect 365 - Authentication
Source Download as text

Connect 365 Azure AD B2C Settings

This section covers creating settings that Connect 365 will use to reference Azure AD B2C for facilitating federated authentication.

  1. Open the Azure AD B2C Settings menu.

  2. Create setting records with the following values:
    Feature Name Type Value
    Azure AD B2C Tenant Domain Single Line of Text

    Enter the previously recorded value B2C tenant domain name.

    e.g. contoso.onmicrosoft.com

    Azure AD B2C Policy Issuer Single Line of Text

    Enter the previously recorded value B2C Sign-up / Sign-in policy issuer.

    e.g. https://login.microsoftonline.com/tfp/30da4020-68e4-4530-ac7a-a0f8aecb0cc2/b2c_1_default/v2.0/

    Azure AD B2C Policy Name Single Line of Text

    Enter the previously recorded value B2C Sign-up / Sign-in Policy Name.

    e.g. B2C_1_Default 

    Azure AD B2C Application ID Single Line of Text

    Enter the previously recorded value B2C Application ID.

    e.g. 8075a5ce-2538-4bd4-b61d-1e9349ad923e

    Azure AD B2C Application ID URI Single Line of Text

    Enter the previously recorded value B2C Application App ID URI.

    e.g. https://contoso.onmicrosoft.com/portal

    Azure AD B2C Application Scope Single Line of Text

    Enter the previously recorded value B2C Application Scope.

    e.g. all

    Azure AD B2C Application Reply URL Single Line of Text

    Enter the previously recorded value B2C Application Reply URL - Connect 365.

    e.g. https://contoso.microsoftcrmportals.com/b2c-silent-signin/

    When a site has multiple languages, use the URL of the primary language.

    e.g.https://contoso.microsoftcrmportals.com/en-US/b2c-silent-signin/

    The values once entered should appear very similar to the following example. Please carefully compare the entered settings to this example. The settings must be entered using the correct format and values for authentication to work.