Blog | G5 Cyber Security

Azure AD B2C Cross-Tenant Access

G5 Cyber Security

TL;DR

This guide shows you how to let users created in your Azure Active Directory (AD) B2C tenant access resources in a different Azure AD directory. We’ll use Conditional Access Policies and Guest Invitations.

Prerequisites

Step 1: Register an Application in Your Resource Directory

This application will represent B2C users when accessing resources.

  1. In your resource directory (the tenant *with* the resources), go to Azure Active Directory > App registrations.
  2. Click New registration.
  3. Give it a name (e.g., ‘B2C Access App’).
  4. Under Supported account types, select Accounts in this organizational directory only.
  5. Add a redirect URI: This is important! Use a dummy URL for now, like https://localhost. You can change it later.
  6. Click Register.

Step 2: Grant API Permissions to the Application

Give the application permission to access the resources you want to share.

  1. In your resource directory, go to your newly created app registration.
  2. Click API permissions.
  3. Click Add a permission.
  4. Select Microsoft Graph or the specific API representing your resources.
  5. Choose the necessary permissions (e.g., ‘User.Read’, ‘Files.ReadWrite.All’). Select both Delegated and Application permissions as needed.
  6. Click Add permissions.
  7. Click Grant admin consent for [Your Tenant Name]. This is crucial!

Step 3: Create a Guest Invitation in Your Resource Directory

Invite the B2C tenant as a guest to your resource directory.

  1. In your resource directory, go to Azure Active Directory > Guests.
  2. Click New guest invitation.
  3. Enter the email address of your B2C tenant administrator (e.g., admin@yourb2ctenant.onmicrosoft.com).
  4. Add a message if you like.
  5. Click Send.

Step 4: Configure Conditional Access Policy in Your Resource Directory

Control access based on the B2C tenant membership.

  1. In your resource directory, go to Azure Active Directory > Security > Conditional Access.
  2. Click New policy.
  3. Give it a name (e.g., ‘B2C User Access’).
  4. Assignments:
    • Users or workload identities: Select All users, then exclude your regular tenant users (e.g., by group). This ensures the policy only applies to guest users from B2C.
    • Cloud apps or actions: Select the application you registered in Step 1.
  5. Conditions:
    • Configure any other conditions as needed (e.g., location, device platform).
  6. Access controls:
    • Select Grant access and choose the appropriate grant control (e.g., require multi-factor authentication).
  7. Click Create.

Step 5: Configure Your B2C Application to Request Access

Modify your B2C application to request access tokens for the resource directory.

  1. In your B2C tenant, go to App registrations.
  2. Select your application.
  3. Click Authentication.
  4. Add a redirect URI if needed (matching Step 1).
  5. Under API permissions, click Add a permission.
  6. Select the API representing your resources in the resource directory.
  7. Choose the necessary permissions.
  8. Click Add permissions.

Step 6: Test Access

Sign in to your B2C application and verify access to the resources.

  1. Sign in with a user from your B2C tenant.
  2. Your application should now be able to request an access token for the resource directory using the client ID and secret of the app registration you created in Step 1.
Exit mobile version