I registered a Spring-Boot application on Azure AD B2C and by default, all users under the tenant on Azure AD B2C will have access to this application. How can I limit access for only a few selected users or groups? I want users A access application A and user B access aplication’s B. I’ve found how to do on Azure AD, but not on Azure AD B2C.
2
Answers
You can use Conditional Access both for user flows and custom policies, depending on which you’re using.
Once you’ve enabled it, set up a policy that applies to the appropriate app and excludes specific user(s) or groups and set it to block. That will block all other users or users not in the selected groups from accessing that app.
Note, it can take a while (sometimes an hour or more) for the conditional access policy to kick in when first created.
This is not available out of the box alike Microsoft Entra ID (formerly Azure AD), however there are ways to achieve this with some supporting infrastructure.
These suggestions work both with Custom Policies via REST API technical profiles and User Flows using the before sending the token API Connector.
Hold a mapping of client id, user id, and role(s) in an external database. E.G., SQL DB. Upon successful sign-in, get the user roles and add them to the JWT before sending them to the relying party application, which should validate the token and required roles. Note, if you use custom policies you could stop the user and show a block screen in Azure AD B2C.
Although not surfaced in the UI, you can still use Microsoft Graph to add RBAC assignments and read them at sign-in. This is a bit more complex but you can find samples of this by:
Both of these implementations require an API to read/write roles to persistent storage (I.E., database or directory)
Your app could also call a data-source to get the roles a user has and decide what to do with the user. Usually this sits nicely within the OnTokenValidated Microsoft Identity Web event.