How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management

Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your API Management developer portal.

In this tutorial, you'll learn the configuration required in your API Management service to integrate with Azure Active Directory B2C.

For an overview of options to secure the developer portal, see Secure access to the API Management developer portal.

Important

  • This article has been updated with steps to configure an Azure AD B2C app using the Microsoft Authentication Library (MSAL).
  • If you previously configured an Azure AD B2C app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you migrate to MSAL.

Prerequisites

Configure sign up and sign in user flow

In this section, you'll create a user flow in your Azure Active Directory B2C tenant containing both sign up and sign in policies. For detailed steps, see Create user flows and custom policies in Azure Active Directory B2C.

  1. In the Azure portal, access your Azure Active Directory B2C tenant.
  2. Under Policies, select User flows > + New user flow.
  3. On the Create a user flow page, select the Sign up and sign in user flow. Select the Recommended version and then select Create.
  4. On the Create page, provide the following information:
    1. Enter a unique name for the user flow.
    2. In Identity providers, select Email signup.
    3. In User attributes and token claims, select the following attributes and claims that are needed for the API Management developer portal.
      • Collect attributes: Given Name, Surname

      • Return claims: Given Name, Surname, Email Addresses, User’s ObjectID

        Screenshot of attributes and claims in the portal

  5. Select Create.

Configure identity provider for developer portal

  1. In a separate Azure portal tab, navigate to your API Management instance.

  2. Under Developer portal, select Identities > + Add.

  3. In the Add identity provider page, select Azure Active Directory B2C. Once selected, you'll be able to enter other necessary information.

    • In the Client library dropdown, select MSAL.
    • To add other settings, see steps later in the article.
  4. In the Add identity provider window, copy the Redirect URL.

    Screenshot of the redirect URL in the portal.

  5. Return to the browser tab for your Azure Active Directory B2C tenant in the Azure portal. Select App registrations > + New registration.

  6. In the Register an application page, enter your application's registration information.

    • In the Name section, enter an application name of your choosing.
    • In the Supported account types section, select Accounts in any organizational directory (for authenticating users with user flows). For more information, see Register an application.
    • In Redirect URI, select Single-page application (SPA) and paste the redirect URL you saved from a previous step.
    • In Permissions, select Grant admin consent to openid and offline_access permissions.
    • Select Register to create the application.

    Screenshot of registering a new application in the portal.

  7. On the app Overview page, find the Application (client) ID and copy the value to the clipboard.

    Screenshot of the Overview page in the portal.

  8. Switch back to the API Management Add identity provider page and paste the ID into the Client Id text box.

  9. Switch back to the B2C app registration. Select Certificates & secrets > + New client secret. Screenshot of creating a client secret in the portal.

    • In the Add a client secret page, enter a Description and select Add.
    • Record the Value in a safe location. This secret value is never displayed again after you leave this page.
  10. Switch back to the API Management Add identity provider page, and paste the key into the Client secret text box.

  11. Continuing on the Add identity provider page:

    • In Signin tenant, specify the domain name of the Azure Active Directory B2C tenant.

    • The Authority field lets you control the Azure Active Directory B2C login URL to use. Set the value to <your_b2c_tenant_name>.b2clogin.cn.

    • Specify the Sign-up Policy and Sign-in Policy using the name of the user flow you created in a previous step.

    • Optionally provide the Profile Editing Policy and Password Reset Policy.

      Screenshot of the Active Directory B2C identity provider configuration in the portal.

  12. After you've specified the desired configuration, select Add.

  13. Republish the developer portal for the Azure AD B2C configuration to take effect. In the left menu, under Developer portal, select Portal overview > Publish.

After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.

Migrate to MSAL

If you previously configured an Azure AD B2C app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management.

Update Azure AD B2C app for MSAL compatibility

For steps to update the Azure AD B2C app, see Switch redirect URIs to the single-page application type.

Update identity provider configuration

  1. In the left menu of your API Management instance, under Developer portal, select Identities.
  2. Select Azure Active Directory B2C from the list.
  3. In the Client library dropdown, select MSAL.
  4. Select Update.
  5. Republish your developer portal.

Developer portal - add Azure Active Directory B2C account authentication

Important

You need to republish the developer portal when you create or update Azure Active Directory B2C configuration settings for the changes to take effect.

In the developer portal, sign-in with Azure Active Directory B2C is possible with the Sign-in button: OAuth widget. The widget is already included on the sign-in page of the default developer portal content.

  1. To sign in by using Azure Active Directory B2C, open a new browser window and go to the developer portal. Select Sign in.

  2. On the Sign in page, select Azure Active Directory B2C.

    Screenshot of signing in to developer portal.

  3. You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address in the Active Directory B2C tenant.

When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.

Sign in to developer portal complete

Although a new account is automatically created whenever a new user signs in with Azure Active Directory B2C, you may consider adding the same widget to the signup page.

The Sign-up form: OAuth widget represents a form used for signing up with OAuth.

Next steps