Enables your organization to automate diferent B2C deployment tasks.
Content
Tasks
Ensure B2C IEF setup
This task ensures all IEF requirements are in place in order to work with custom policies.
It will execute the following steps as described in the Get started with custom policies in Azure Active Directory B2C article.
- Add signing and encryption keys (it will not create the Facebook key)
- Register Identity Experience Framework applications
Task inputs
| Field |
Required |
Description |
Group |
| Azure AD B2C Connection |
Yes |
The connection to the target B2C tenant |
|
| IEF app name |
Yes |
The name of the application interfacing with the directory |
|
| IEF app ID variable name |
No |
The name of the variable to assign the value of IEF app ID (client ID) |
|
| Proxy IEF app name |
Yes |
The name of the application proxying the IEF app as a client |
|
| Proxy IEF app ID vatriable name |
No |
The name of the variable to assign the value of Proxy IEF app ID (client ID) |
|
| Tokens signing key container name |
Yes |
The name of the container holding the token signing keys |
|
| Tokens encryption key container name |
Yes |
The name of the container holding the token encryption keys |
|
| Extensions app object ID variable name |
No |
When specified the task will assign the value of the extensions app object ID to the specified variable |
Extensions |
Required permissions
| Application |
Scope |
Minimum |
| Microsoft Graph |
Application.ReadWrite.All |
X |
| Microsoft Graph |
Directory.ReadWrite.All |
|
Manage B2C policy key container
This task allows you to manage policy key containers in the Identity Experience Framework area of your tenant.
Task inputs
| Field |
Required |
Description |
On actions |
| Azure AD B2C Connection |
Yes |
The connection to the target B2C tenant |
|
| Action |
Yes |
The type of action to execute for the container. Accepted options: Generate a key, Manually set a key, Install from Key Vault and Delete |
|
| Skip if key is already created |
No |
Check to indicate key should not be applied when the container already exists |
|
| Key container name |
Yes |
The name of the container to target for the action |
All |
| Key type |
Yes |
The type of key to generate. Options: Secret or RSA |
Generate a key |
| Key value |
Yes |
The value of the key to be created. |
Manually set a key |
| Key usage |
Yes |
The use for the key. Options: Signature or Encryption |
Generate a key, Manually set a key |
| Azure connection |
Yes |
The azure subscription connection for the Key Vault instance |
Install from Key Vault |
| Key Vault name |
Yes |
The Key Vault name or resource identiier |
Install from Key Vault |
| Certificate name |
Yes |
The name of the certificate in Key Vault |
Install from Key Vault |
Required permissions
For the B2C app registration:
| Application |
Scope |
Minimum |
| Microsoft Graph |
TrustFrameworkKeySet.ReadWrite.All |
X |
IMPORTANT - The Azure connection service principal should have Get access to the secrets on the Key Vault instance.
Manage B2C user attributes
Allows you to manage the extension user attributes for the tenant. The task only creates attributes. Existing attributes will no be deleted from the tenant when they are removed from this task.
If an attribute already exists it will not be dropped and recreated.
Changing the type of an attribute after created it's not supported. The attribute has to be manually deleted in order to re-create it.
IMPORTANT - The attributes created through this task are only available when using custom policies. They will not be supported or displayed in the User attributes section of the Azure AD B2C management blade in the Azure portal. If your intention is to use an attribute in the User flows do not use this task.
Task inputs
| Field |
Required |
Description |
| Azure AD B2C Connection |
Yes |
The connection to the target B2C tenant |
| User custom attributes |
Yes |
Line separated user attributes in the format: <attribute-name>|<attribute-type>. |
attribute-name Only alfanumeric characters.
attribute-type Valid values are Boolean, DateTime, Integer and String.
Field editor can be used for validation and better experience entering the values.
Required permissions
| Application |
Scope |
Minimum |
| Microsoft Graph |
Application.ReadWrite.OwnedBy |
X |
| Microsoft Graph |
Application.ReadWrite.All |
|
Manage B2C app registration
This task allows you to create and update an app registration to identify clients for user authentication and authorization flows. Also allows you to manage non Azure AD B2C compatible app registration to execute actions against the dircetory from a management application.
Task inputs
| Field |
Required |
Description |
Group |
| Azure AD B2C Connection |
Yes |
The connection to the target B2C tenant |
|
| Application Name |
Yes |
The name of the application |
|
| Create app with compatibility |
Yes |
Options: Azure AD B2C Creates the application for B2C clients. Azure AD Creates the application for administration purposes.
This value is only used for creation, it does not update the registration. |
|
| Application is native client |
No |
Check if the application is to be used from native clients. |
|
| Web Redirect URIs |
No |
Line separated redirect URIs that can be used for authorize requests |
Web Authentication |
| Logout URI |
No |
The URI used to logout user from the client. |
Web Authentication |
| Allow implicit grant ID Tokens |
No |
Enables issuing ID tokens for the implicit grant flow |
Web Authentication |
| Allow implicit grant access tokens |
No |
Enabled issuing acess tokens for the implicit grant flow |
Web Authentication |
| SPA Redirect URIs |
No |
Line separated redirect URIs to be used for SPAs under the Authorization Code Flow with PKCE. |
SPA Authentication |
| Bundle IDs |
Yes |
Line separated list of bundle IDs to serve as redirect URIs for the client application |
iOS Authentication |
| Package name/Signature hash pairs |
Yes |
Line separated list of package and signature hash in the format <package-name>:<base64-encoded-signature-hash>. Editor can be used to validate the entries. |
Android Authentication |
| Permissions |
Yes |
Line separated list of permissions in the format <application-api>|<scope>|<type> eg. Microsoft Graph|openid|delegated.
type accepted values are delegated and application
Editor can be used to enter the values |
API permissions |
Required permissions
| Application |
Scope |
Minimum |
| Microsoft Graph |
Application.ReadWrite.OwnedBy |
X |
| Microsoft Graph |
Application.ReadWrite.All |
|
| Microsoft Graph |
Directory.ReadWrite.All |
|
Manage B2C app secret
This task allows you to create client secrets on an app registration to be used to authenticate the application or users when using the authorization_code flow. Since a secret only gets returned when created, the secret has to be persisted as a Key Vault secret to secure it and be used later by consuming applications.
Task inputs
| Field |
Required |
Description |
Group |
| Azure AD B2C Connection |
Yes |
The connection to the target B2C tenant |
|
| Application name |
Yes |
The name of the application where the secret is managed |
|
| Secret name |
Yes |
The display name of the secret |
|
| Skip when already created |
No |
When checked the secret generation will not occurr. Default value is true. |
|
| Expires in |
No |
The validity period length for the secret. Default value is 1 year. |
|
| Azure connection |
Yes |
The connection to the Azure subscription hosting the Key Vault instance |
Secret storage |
| Key Vault name |
Yes |
The Key Vault instance name |
Secret storage |
| Vault secret name |
Yes |
The name of the secret in Key Vault |
Secret storage |
| Enable generating secret before expires |
No |
When checked and release executes before the range specified it will create a new secret |
Advanced |
| Number of days before expiration |
No |
The number of days for a new secret to be re-generated before the expiration day |
Advanced |
Required permissions
| Application |
Scope |
Minimum |
| Microsoft Graph |
Application.ReadWrite.OwnedBy |
X |
| Microsoft Graph |
Application.ReadWrite.All |
|
Deploy B2C policies
This task allows you to upload custom policies to your tenant.
Custom policies to upload can be espcified individually or by folder. Any violation will be reported as en error when policy is uploaded.
Task inputs
| Field |
Required |
Description |
| Azure AD B2C Connection |
Yes |
The connection to the target B2C tenant |
| Root Directory |
No |
The root folder for the task to start finding the policy files. If not specified, the root folder used is the artifacts folder for the release. |
| Policies |
Yes |
The list of files or the pattern use to match the files. |
Required permissions
| Application |
Scope |
Minimum |
| Microsoft Graph |
Policy.ReadWrite.TrustFramework |
X |
Create a connection to your B2C tenant
Register an application
- Sign in to the Azure portal.
- Switch to the directory containing your Azure AD B2C tenant.
- Access the Azure AD B2C service.
- Select App registrations (Preview) and then select New Registration
- Enter the name for your registration, ie: B2C Deployments.
- Under Supported account types select Accounts in this organizational directory only
- Select Register.
- In the Overview section copy the Application (client) ID. We will need this value later.
- In the Overview section copy the Directory (tenant) ID. We will need this value later.
Add permissions for the application
In order for th extension to execute the provided tasks, permissions need to be provided for the application. Each task may require different sets of permissions.
- In the Azure B2C service blade in Azure portal, within App registrations (Preview) select the application you created to enable deployments.
- Under Manage select API permissions.
- Select Add a permission.
- Under Microsoft APIs, select Microsoft Graph.
- Select Application permissions.
- Reffer to specific permissions required by each task.
Create client secret for the application
Client secret is required for Azure DevOps to communicate with your B2C tenant in a secure way. Follow these steps to create a secret:
- In the Azure B2C service blade in Azure portal, within the App registrations (Preview) select the application you created to enable deployments.
- Under Manage, select Certificates & secrets.
- In the Client secrets section select New client secret.
- Enter the description for the secret and select the appropiate expiration time span according to your organization policies and then select Add.
- Before leaving this screen copy the secret Value. We will need this value later. If you leave this screen without copying this value you will not be able to retrieve it; in such case you will need to create another secret following these same steps.
Create B2C Connection in Azure DevOps
Once the app registration has been created we can create the service connection in our Azure DevOps team project.
- Go to your Azure DevOps team project (https://dev.azure.com/your-organization/your-team-project).
- Select Project settings, then under Pipelines select Service connections*.
- Select New service connection.
- Select the Azure AD B2C Tenant connection type and select Next.
- In the Tenant ID field paste the Directory (tenant) ID value we copied earlier from the Azure portal.
- In the Client ID field paste the Application (client) ID value we copied earlier from the Azure portal.
- In the Client Secret field paste the application secret we copied earlier from the Azure portal.
- Select Save. And after this we are ready to start using the tasks contained in this extension!
