AADB2C PowerShell Module
Azure AD Business to Consumer is a very flexible and powerful identity platform. It allows you to completely control the user experience for your customer and partner facing applications. See About Azure AD B2C for more info.
Over the last year and a half or so we have implemented Azure AD B2C for a number of customers. Over the next couple of days / weeks I will be posting a number of blogs with some of the tips and tricks we learned along the way. I will also be sharing some example scripts, policies and Powershell modules we have developed.
This blog is part of a series on setting up Azure AD B2C Automated deployments. Also see; Creating a new Azure AD B2C tenant amd Setup Identity Experience Framework.
Did you know of the existence of the PowerShell Gallery? I find it really handy. After you create a PowerShell module you can upload it there and then when you get to a new computer all you need to do is run "Install-Module <your module name>" and it will automatically find and download it. This is what we have done with our AADB2C PowerShell module. You can install it by just running; Install-module AADB2C.
We also published the source code with some documentation on Github. So if you have any comments, update requests or anything else please let us know there. The source code for the Azure AD B2C PowerShell module can be found here. This module will work in both PowerShell 5.0 as well as PowerShell 6.0 and will therefor work on both Windows, Mac and Linux. No additional modules are required. This module utilizes the Azure AD B2C REST API to manage B2C policies from the PowerShell command line or Azure DevOps. See here for the API specification.
This module requires you to authenticate using a ServicePrincipal, Secret and TenantID. To create a Service Principal using the Az module run the following commands;
Import-Module Az.Resources
Connect-AzAccount -TenantId '<Your B2C tenantId>'
$Secret = '<Secret>'
$ServicePrincipleName = '<ServicePrincipal>'
$credentials = New-Object Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential -Property @{ StartDate=Get-Date; EndDate=Get-Date -Year 2024; Password=$Secret}
New-AzAdServicePrincipal -DisplayName $ServicePrincipleName -PasswordCredential $credentials
After this you will need to authorize your Service Principal to "Read and write your organization's trust framework policies".
To do that open the regular Azure AD Portal;
- Open App registraitons (Legacy)
- Select all apps, and find the app (or service principal) that you just created.
- Go to settings, click required permissions click Add
- Select and API and select Microsoft Graph
- Select permission and select "Read and write your organization's trust framework policies"
- Click add and click grant permissions
You can do something like this;
The ClientID = The applicationID of the service principal that you just created. It reads your XML based IEF policies and then uploads them one by one.
Finally, before we move on to the next blog post. Add the applicationID of the JSON file that we have been using in the other blog posts;
{
"DEV": {
"B2C_TENANT": "FortigiB2CDemo.onmicrosoft.com",
"B2C_TENANTID": "9eee23e3-5c63-4777-8b56-c91cbf665cae",
"B2C_IEF_APPLICATIONID": "232f8e66-38d9-418c-a6e0-f676d23582a5",
"B2C_IEF_PROXY_APPLICATIONID": "24109baf-ab87-493e-9a7c-fffe87d77014",
"B2C_TOKEN_SIGNINGKEYCONTAINER": "TokenSigningKeyContainer",
"B2C_TOKEN_ENCRYPTIONKEYCONTAINER": "TokenEncryptionKeyContainer",
"B2C_SERVICEPRINCIPALID": "9c2b3cda-acae-47ef-8975-d03bf6f686e6"
},
"TST": {....}
}