Using Azure B2C for multiple Domain based users

[LukeDuffy98]

Hi

I am having issues trying to progress learner into the lti assignment. I have set up the course and added modules from MS learn without issue.

As a learner when i go to complete the work by clicking in the link

I then receive the following error

The user is signed in via Azure AD B2C Connect. The user is in a different tenant than our moodle.

If I use oidc OpenID Connect I receive an error
AADSTS50020

Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'bree@XXXonmicrosoft.com' from identity provider 'https://sts.windows.net/00000-8edb-4464-8adc-4611b76ffab1/' does not exist in tenant 'xxx' and cannot access the application 'xxxx-4ed0-4534-b51d-8850917a2dc2'(AAD Moodle) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

The App registration is set up as multitenant

Short of adding every user as a guest account I dont know how to get past this issue.

Thanks

[leestott]

@LukeDuffy98 So the issue is the Learn LTI application is using the AAD to validate the user.

From what I understand the students are in a different AAD?

If this is the case you will need to assign all the users permissions to the app https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal

[LukeDuffy98]

Thanks Lee

I think the issue here is also connected to this one:
microsoft/o365-moodle#1738

It appears that all users must exist as a regular or guest in my AAD to use the tool.
Is that correct ?

[leestott]

@LukeDuffy98 what extension are you using for moodle? I would recommend the OpenID Connect extension to allow AAD user to auth to Moodle

see https://moodle.org/plugins/auth_oidc#:~:text=The%20OpenID%20Connect%20plugin%20provides%20single-sign-on%20functionality%20using,Moodle%20and%20other%20OpenID%20Connect%20providers%20as%20well.

[LukeDuffy98]

Hi Lee

That's the plugin I am using. For good measure I just reinstalled it.

For my own sanity s it true that all users must exist as a regular or guest in my AAD to use the tool ??

I'm not sure if I am trying to make something happen that just wont work.

Thanks again

[leestott]

@LukeDuffy98 so typically if you have two AAD which aren't related but want to auth users on a single app you would use Azure B2C on the App https://azure.microsoft.com/services/active-directory/external-identities/b2c/#overview you would then simply point your App Auth to use the B2C connector.. Is this what your doing?

A Diag would help explain what your trying to do.

[leestott]

@LukeDuffy98 see https://moodle.org/mod/forum/discuss.php?d=388317 you will need to install the Learn LTI Application into the Azure B2C so that the app can give access to the users of each AAD.. At present it looks like you have the app installed within only one tenant so users in the other tenant do not have access to the app.

[LukeDuffy98]

Thanks Lee

I am having a look now, but it seems I am back to the same issue when I try to access the LTI tool. Logging in is ok

[LukeDuffy98]

Hi Lee

I don't know what I am missing to make B2C work with LTI.
Does it work with B2C and LTI ? If so do you have any step by steps I can follow ?

Thanks

[leestott]

@LukeDuffy98 So which Dir is the App and App Service principal installed in?

You need to register the Learn LTI in your B2C see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga

[LukeDuffy98]

Hi Lee

I have tried for a few days now to see if I can make it work, but still no joy.

The app and the app service principals are in the same directory.

At a high level the steps are :

1. Create a new Azure B2C tenant
2. Create and assign subscription to new tenant
3. create new global admin user
4. register web app for auth and add client secret etc
5. run the run,bat file to deploy the LTI tool, signing in to the new B2C tenant
6. configure LTI tool as per instructions

At this point any users in the B2C tenant can use the LTI tool no problem. Anyone outside still gets the error "Selected user account does not exist in tenant"

I would really love some help to solve this.

Thanks again

[leestott]

@LukeDuffy98
Have you followed the guidance at https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow#create-an-azure-ad-app to setup the app?
See Azure-Samples/active-directory-b2c-advanced-policies#19 for more details

the Stackoverflow explains the issues with app registrations and domains https://stackoverflow.com/questions/64365648/aadsts50020-user-account-does-not-exist-in-tenant

[leestott]

@LukeDuffy98
The issue is the Learn LTI Application is registered within the AAD Tenant so only users within that Tenant have access to those resources https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals and you need to setup Application multitenant identity https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/

In this guidance, we'll look specifically at using Azure AD for identity management.

If you have on-premises Active Directory you can use Azure AD Connect to sync your on-premises Active Directory with Azure AD. If your on-premises Active Directory cannot use Azure AD Connect (due to corporate IT policy or other reasons), the SaaS provider can federate with the customer's directory through Active Directory Federation Services (AD FS). see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

[leestott]

@LukeDuffy98
There are two main options here.

1. Add the user to the tenant:

In this case you have to add the user to the tenant that the application is hosted in. You can follow this document https://docs.microsoft.com/en-us/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal#add-a-new-guest-user-in-azure-ad to add the user abc@outlook.com as a Guest User to the tenant. And then you have to grant access to the application https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups#assign-users for the said user.

2. Make the application as a Multi-Tenant Application:

You can convert the application to accept users from multiple tenants. see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
In this way you can give access to users who are not in your tenant without having to add them to the tenant where the application is in. This document describes the between Single and Multi-Tenant Applications. Another good read http://www.andrewconnell.com/blog/azure-ad-what%E2%80%99s-the-difference-between-single-vs-multi-tenant on the same.

[leestott]

@LukeDuffy98

OK so you simply need to edit this file
https://github.com/microsoft/Learn-LTI/blob/main/client/src/Core/Auth/AppAuthConfig.ts

Line 11 authority: https://login.microsoftonline.com/${process.env.REACT_APP_EDNA_TENANT_ID},

to authority: https://login.microsoftonline.com/common/${process.env.REACT_APP_EDNA_TENANT_ID},

see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant for other details