| title | titleSuffix | description | services | documentationcenter | author | manager | editor | ms.service | ms.workload | ms.tgt_pltfrm | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Authorize developer accounts by using Azure Active Directory B2C |
Azure API Management |
Learn how to authorize users by using Azure Active Directory B2C in API Management. |
api-management |
API Management |
miaojiang |
cfowler |
api-management |
mobile |
na |
article |
11/04/2019 |
apimpm |
Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your developer portal. This guide shows you the configuration that's required in your API Management service to integrate with Azure Active Directory B2C. For information about enabling access to the developer portal by using classic Azure Active Directory, see How to authorize developer accounts using Azure Active Directory.
Note
To complete the steps in this guide, you must first have an Azure Active Directory B2C tenant to create an application in. Also, you need to have signup and signin policies ready. For more information, see Azure Active Directory B2C overview.
[!INCLUDE premium-dev-standard.md]
-
To get started, sign in to the Azure portal and locate your API Management instance.
[!NOTE] If you haven't yet created an API Management service instance, see Create an API Management service instance in the Get started with Azure API Management tutorial.
-
Under Identities. Click +Add at the top.
The Add identity provider pane appears on the right. Choose Azure Active Directory B2C.
-
Copy the Redirect URL.
-
In a new tab, access your Azure Active Directory B2C tenant in the Azure portal and open the Applications blade.
-
Click the Add button to create a new Azure Active Directory B2C application.
-
In the New application blade, enter a name for the application. Choose Yes under Web App/Web API, and choose Yes under Allow implicit flow. Then paste the Redirect URL copied in step 3 into the Reply URL text box.
-
If you're using the new developer portal (not the legacy developer portal), include the Given Name, Surname, and User's Object ID in the application claims.
-
Click the Create button. When the application is created, it appears in the Applications blade. Click the application name to see its details.
-
From the Properties blade, copy the Application ID to the clipboard.
-
Switch back to the API Management Add identity provider pane and paste the ID into the Client Id text box.
-
Switch back to the B2C app registration, click the Keys button, and then click Generate key. Click Save to save the configuration and display the App key. Copy the key to the clipboard.
-
Switch back to the API Management Add identity provider pane and paste the key into the Client Secret text box.
-
Specify the domain name of the Azure Active Directory B2C tenant in Signin tenant.
-
The Authority field let you control the Azure AD B2C login URL to use. Set the value to <your_b2c_tenant_name>.b2clogin.com.
-
Specify the Signup Policy and Signin Policy from the B2C Tenant policies. Optionally, you can also provide the Profile Editing Policy and Password Reset Policy.
-
After you've specified the desired configuration, click Save.
After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.
In the developer portal, sign-in with AAD B2C is possible with the Sign-in button: OAuth widget. The widget is already included on the sign-in page of the default developer portal content.
Although a new account will be automatically created whenever a new user signs in with AAD B2C, you may consider adding the same widget to the sign-up page.
The Sign-up form: OAuth widget represents a form used for signing up with OAuth.
Important
You need to republish the portal for the AAD changes to take effect.
[!INCLUDE api-management-portal-legacy.md]
-
To sign up for a developer account by using Azure Active Directory B2C, open a new browser window and go to the developer portal. Click the Sign up button.
-
Choose to sign up with Azure Active Directory B2C.
-
You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address or one of your existing social accounts.
[!NOTE] If Azure Active Directory B2C is the only option that's enabled on the Identities tab in the publisher portal, you'll be redirected to the signup policy directly.
When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.
- Azure Active Directory B2C overview
- Azure Active Directory B2C: Extensible policy framework
- Use a Microsoft account as an identity provider in Azure Active Directory B2C
- Use a Google account as an identity provider in Azure Active Directory B2C
- Use a LinkedIn account as an identity provider in Azure Active Directory B2C
- Use a Facebook account as an identity provider in Azure Active Directory B2C