Power Apps Portal - Configure Azure AD Provider in Azure B2C

It is recommended that you no longer use Local Login authentication for Power Apps Portal but instead utilize Azure Active Directory B2C to provide this type of authentication. See Migrate identity providers to Azure AD B2C

Configuring the B2C providers is fairly straightforward utilizing the new preview interface Configure the Azure Active Directory B2C provider. Make sure you navigate to the preview version of the Maker portal for now to access this, https://make.preview.powerapps.com/.

For this article my goals were the following.

  • Set the existing Azure AD and Local Login configuration as deprecated authentication mechanisms within the portal to migrate the users to B2C.
  • Allow user to authenticate to B2C using Azure AD, Google or create local B2C account.

Original log in screen

Deprecate Old Providers

Once I had run through the instructions for configuring the Azure B2C authentication I then had to mark the Local Login and Azure AD authentication methods as deprecated. This ensures that when existing users log into the Portal using those methods, they will then be asked to migrate their account to B2C.

Account Migration

Deprecation of the old providers can be done through the Portal Management model app within the Site Settings.

Set Local Login Authentication as Deprecated

The site setting for deprecated the local authentication was already in my site settings so i set the value to true.
Deprecate Local Login

Name Value
Authentication/Registration/LocalLoginDeprecated true

Set Azure AD Authentication as Deprecated

In order to deprecate other providers you need to create the site settings for them and set the value to true. The format for these values is.
Authentication/[protocol]/[provider]/Deprecated

Deprecate Azure AD Authentication

Name Value
Authentication/OpenIdConnect/AzureAD/Deprecated true

Google Identity Provider

Setting up the Google identity provider was easy and the instructions provided worked without any issues. See Set up sign-up and sign-in with a Google account using Azure Active Directory B2C

Azure AD Provider

The instructions for Adding an Azure Active Directory provider to Azure Active Directory B2C but there were a few items missing to get it working correctly with Power Apps Portal.

If you don’t complete the additional steps you will end up with users in your B2C who do not have an email address assigned to them. Additionally, the persons email, first name and last name will not be provided to the portal which will result in the following error screen when new users attempt to register.
Email field is required

The first thing we need to do after creating the Azure AD provider app registration is to update the token configuration. This will ensure that email, first name, and last name are included correctly in the token.

  • Navigate to the directory in the Azure Portal where your Azure AD lives.
  • Create the app registration for the Azure AD Identity provider using the instructions found [here]((https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow)
  • Under Manage click Token configuration
  • Click Add optional claim button
  • Select the Token type of ID
  • Click the check boxes next to eamil, family_name, given_name
  • Click the Add button
  • You will receive a message that the optional claims will require additional API permissions. Click the Turn on the Microsoft Graph email permission (required for claims to appear in token) checkbox and click the Add button.
    Token configuration

Next we must ensure that the API permissions that were added have admin consent

  • Under Manage click the API permissions
  • Click Grant admin consent for button
  • Click Yes when asked to grand admin consent
    Grant Admin Consent

I also found issues where the B2C configuration redirect URI utilize the tenant id instead of the domain name so I also added an extra Uri for that address.

Finally we need to update the Sign In/Sign Up user flow created during the B2C Portal setup.

  • Navigate to the director in the Azure Portal where you Azure B2C lives.
  • Within Azure services click on Azure AD B2C
  • Under the policies area click User flows
  • You should see 2 users flows. Select the one contaiing the text signupsignin
    Select User Flow
  • Click on Identity providers and ensure that you have selected the new Identity providers you have created. After selecting them click the Save button
    Choose Identity providers
  • Click on Application claims and select the Display Name, Email Addresses, Given Name, and Surname attributes then click the Save button.
    Select Application claims

Now when a user attempts to register using your AD provider the email, first name and last name will all be passed to the Portal and show up on the profile page after the user has logged in.

B2C Login Page
Profile Page After Login

Invitation Info

One thing I discovered through all this was that the Invitation system still works correctly after moving to B2C. I was able to create Invitations for contacts and redeem those invitation with the B2C provider in the exact same manner I did with the other providers.

Comments

Popular posts from this blog

Add User As Local Administrator On Domain Controller

Custom Grid/Subgrid Using Office-UI-Fabric DetailsList

Horizontally Scroll A Large Power Apps Gallery