Hybr®
Cloud Assert HomeDocs Home
2303
2303
  • Introduction
  • Features
    • Summary
    • Service Providers
      • Tenants Management
        • Tenant Onboarding
        • Tenant Portal Access for HYBR Admin
        • Tenant Portal Access for Support Users From Different Domain
        • Tenant Company Management
        • Company with AAD B2C
        • User Management
        • Subscriptions Management
        • Offers Management
        • Plans Management
      • Reseller Management
        • Reseller Offer
        • Reseller Plan
        • Onboarding a CSP Customer and Mapping it with Reseller
      • Billing
        • Credits
        • Microsoft CSP
        • Pricing Profile
          • Pricing Profiles Management
            • How to set Pricing List Import setting for meter
          • Update Pricing Profile from Excel
        • Cost Reset
      • Resource Management
        • Console connect requirements for imported VMs
        • Connection manager
          • Azure Stack Hub Connection Management
          • Azure
          • AWS
        • VM Template management
        • Param Spec
        • Network Management
        • Azure Integration
        • Policy Management
        • Linked Clone
        • Attach and detach networks
        • Delete Options
        • Backup
          • Veeam Backup Configuration
          • Scheduling a backup using Veeam
      • Microsoft CSP
        • MS CSP security consent process
        • Partner Center Refresh Token Expiry Alert
        • New Commerce Experience (NCE)
          • Transition from Legacy to NCE
        • Azure Reservation Management
        • Granular Delegated Admin Privileges
          • Bulk Transition of customers from DAP to GDAP
          • Default roles to be provided for relationship request.
      • Service Catalog
        • FAQ
      • Azure Stack Hub
        • Create and Publish Service Catalog offers
        • Configure Service Catalogue Plan
        • Pricing
        • Security Deposit for an Azure Stack Hub Offer
      • Customization
      • Administration
        • Application Settings
        • Admin Portal Access for Support Users
    • Business Intelligence Dashboards & Reports
      • Dashboards
      • Reports
        • Schedule Reports
    • Reseller
      • Customers Management
        • Customer Onboarding
        • Plans
        • Offers
      • Billing
        • Pricing Profile Management
    • Customer
      • Subscriptions
      • Resource Management
        • Virtual Machines
        • Connect a VM using browser
        • Virtual Networks
        • Resource Templates
        • Resource Groups
      • Microsoft CSP
        • CSP Operations and Status tracking
      • Software-Defined Network (SDN)
      • Company Registration
    • Cloud Cost Management
      • Cloud Dashboards
        • Azure Invoice Comparision
      • Collaborations
      • Resource Tagging
        • Data Processing Rules
      • Cost Allocations & Budgeting
        • Budgeting
      • Recommendations
      • Reconcilation
      • Getting started
        • Kubernetes
        • Azure
        • AWS
        • GCP
        • Tenant Company Creation
  • Advanced Guides
    • CSP Customers with Resellers
  • API Documentation
    • External Integration and API Documentation Overview
    • External Webhook Integration
    • Zapier Integration
      • External application events which trigger event in Hybr
      • Event in Hybr which trigger external Application
  • Support
    • How do I contact support?
    • How do I share feedback?
    • Roadmap
    • Changelog
  • On-Prem Installation
    • Architecture
    • Prerequisites
      • Infrastructure
        • Production
        • POC
      • Identity Providers
        • AAD B2C
        • Microsoft Entra ID
        • ADFS
      • Services
        • VConnect
        • Workflow
        • Microsoft CSP
        • Remote connect using Guacamole
          • Apache Guacamole Setup
          • Troubleshoot
          • Support Links
          • Guacamole Pre-Requisites
        • Console connect for VCenter V7
          • Pre-Requisites
          • Configurations for Nginx (Reverse Proxy Server)
          • Troubleshoot
          • Supporting Commands / Configurations
      • Ports Requirements
    • Deployment
      • Core Components
      • VConnect
      • Billing
    • Configuration
      • Billing
        • Custom Invoice
        • Multilingual Support
      • Cost Management
        • General
    • Updates
      • Billing
      • Cost Management
    • Infrastructure & Application Security - Recommendations
Powered by GitBook
On this page

Was this helpful?

  1. On-Prem Installation
  2. Prerequisites
  3. Identity Providers

AAD B2C

PreviousIdentity ProvidersNextMicrosoft Entra ID

Last updated 1 year ago

Was this helpful?

Azure B2C Support For HYBR

Create an Azure B2C Directory from All Resources in Azure Portal and Register the HYBR App as usual as Microsoft Entra ID.

HYBR Application registration:

Steps add custom policy to support UPN:

To support custom policies instead of the standard user flows we need to do the following before creating custom policy.

Add signing and encryption keys

  1. Sign in to the .

  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.

  3. In the Azure portal, search for and select Azure AD B2C.

  4. On the overview page, under Policies, select Identity Experience Framework.

Create the signing key

  1. Select Policy Keys and then select Add.

  2. For Options, choose Generate.

  3. In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.

  4. For Key type, select RSA.

  5. For Key usage, select Signature.

  6. Select Create.

Create the encryption key

  1. Select Policy Keys and then select Add.

  2. For Options, choose Generate.

  3. In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.

  4. For Key type, select RSA.

  5. For Key usage, select Encryption.

  6. Select Create.

Register Identity Experience Framework applications

Azure AD B2C requires you to register two applications that it uses to sign up and sign in users with local accounts: IdentityExperienceFramework, a web API, and ProxyIdentityExperienceFramework, a native app with delegated permission to the IdentityExperienceFramework app. Your users can sign up with an email address or username and a password to access your tenant-registered applications, which creates a "local account." Local accounts exist only in your Azure AD B2C tenant.

You need to register these two applications in your Azure AD B2C tenant only once.

Register the IdentityExperienceFramework application

To register an application in your Azure AD B2C tenant, you can use the App registrations experience.

  1. Select App registrations, and then select New registration.

  2. For Name, enter IdentityExperienceFramework.

  3. Under Supported account types, select Accounts in this organizational directory only.

  4. Under Redirect URI, select Web, and then enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com, where your-tenant-name is your Azure AD B2C tenant domain name.

  5. Under Permissions, select the Grant Admin consent to openid and offline_access permissions check box.

  6. Select Register.

  7. Record the Application (client) ID for use in a later step.

Next, expose the API by adding a scope:

  1. In the left menu, under Manage, select Expose an API.

  2. Select Add a scope, then select Save and continue to accept the default application ID URI.

  3. Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:

    • Scope name: user_impersonation

    • Admin consent display name: Access IdentityExperienceFramework

    • Admin consent description: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.

  4. Select Add scope

Register the ProxyIdentityExperienceFramework application

  1. Select App registrations, and then select New registration.

  2. For Name, enter ProxyIdentityExperienceFramework.

  3. Under Supported account types, select Accounts in this organizational directory only.

  4. Under Redirect URI, use the drop-down to select Public client/native (mobile & desktop).

  5. For Redirect URI, enter myapp://auth.

  6. Under Permissions, select the Grant Admin consent to openid and offline_access permissions check box.

  7. Select Register.

  8. Record the Application (client) ID for use in a later step.

Next, specify that the application should be treated as a public client:

  1. In the left menu, under Manage, select Authentication.

  2. Under Advanced settings, enable Treat application as a public client (select Yes). Ensure that "allowPublicClient": true is set in the application manifest.

  3. Select Save.

Now, grant permissions to the API scope you exposed earlier in the IdentityExperienceFramework registration:

  1. In the left menu, under Manage, select API permissions.

  2. Under Configured permissions, select Add a permission.

  3. Select the My APIs tab, then select the IdentityExperienceFramework application.

  4. Under Permission, select the user_impersonation scope that you defined earlier.

  5. Select Add permissions. As directed, wait a few minutes before proceeding to the next step.

  6. Select Grant Admin consent for (your tenant name).

  7. Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.

  8. Select Accept.

  9. Select Refresh, and then verify that "Granted for ..." appears under Status for the scopes - offline_access, openid and user_impersonation. It might take a few minutes for the permissions to propagate.

Creating and Uploading Custom Policy:

Download the custom policy starter pack from the below link:

  1. In all the files under the folder named “LocalAccounts” directory, replace the string yourtenant with the name of your Azure AD B2C tenant in all the xml files.

For example, if the name of your B2C tenant is contosotenant, all instances of yourtenant.onmicrosoft.com become contosotenant.onmicrosoft.com.

Add application IDs to the custom policy

Add the application IDs to the extensions file TrustFrameworkExtensions.xml.

  1. Open LocalAccounts/TrustFrameworkExtensions.xml and find the element <TechnicalProfile Id="login-NonInteractive">.

  2. Replace both instances of IdentityExperienceFrameworkAppId with the application ID of the IdentityExperienceFramework application that you created earlier.

  3. Replace both instances of ProxyIdentityExperienceFrameworkAppId with the application ID of the ProxyIdentityExperienceFramework application that you created earlier.

  4. Save the file.

Open SignUpOrSignin.xml and add the below line in output claims

<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="upn" />

Open PasswordReset.xml and add the below line in output claims

<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn" />

Save the above files and proceed to upload.

Upload the policies

  1. Select the Identity Experience Framework menu item in your B2C tenant in the Azure portal.

  2. Select Upload custom policy.

  3. In this order, upload the policy files:

    1. TrustFrameworkBase.xml

    2. TrustFrameworkExtensions.xml

    3. SignUpOrSignin.xml

    4. ProfileEdit.xml

    5. PasswordReset.xml

As you upload the files, Azure adds the prefix B2C_1A_ to each.

Run the custom policy and check the id_token for available claims.

Update the B2C_1A_ SignUpOrSignin and B2C_1A_ PasswordReset in HYBR webconfig under Azure B2C section.

Remove Sign-up options (Optional):

For Removing Signup follow the below instructions:

  1. Open TrustFrameworkBase.xml and find the below line

<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">

  1. Remove the below line from metadata this line remove support for Sign-Up

<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>

  1. Add the below line to metadata this line removes the Sign-Up link

<Item Key="setting.showSignupLink">false</Item>

Azure portal
Custom Policy Starter Pack