Connect to EntraID B2C
EmpowerID offers a connector specifically designed for EntraID B2C integration. Administrators can utilize this connector to establish a seamless connection between EmpowerID and their EntraID B2C system. This connection creates an account store within the EmpowerID Identity Warehouse, serving as a central hub for configuring how EmpowerID manages identity information within the EntraID B2C system.
Prerequisites
- Administrative access to the EntraID B2C.
- Administrative access to EmpowerID.
Step 1 - Gathering Necessary Information & Configuring the B2C Tenant
Configure the B2C Tenant
Before you begin creating an Account Store and connecting to a B2C tenant, the following steps must be completed in the client environment. Read the overview document to understand the components and how they work, which will give you more insight into the relevance of the steps.
tip
Necessary permissions are automatically configured during the microservice deployment from EmpowerID. The information below is for administrative and troubleshooting purposes only. Please skip if you only want to create an account store.
-
Register an App in B2C Tenant:
- An application should be registered with the client Azure as a B2C tenant.
-
Create a Certificate:
- Generate a certificate from the Azure application that you created. This certificate needs to be uploaded to EmpowerID for configuration purposes. It will be used to authenticate requests from EmpowerID to the application. The certificate will be stored in a key vault located in the B2c tenant where the SCIM Microservice is deployed in Azure.
-
Assign Application Roles and Permissions:
- Roles: The Help Desk Administrator role should be enabled. This role, which involves managing and supporting user-related issues within the EntraID B2C environment, should be configured in the EntraID B2C tenant.
- Graph API Permissions: Please also provide the permissions that should be enabled for the Graph API in the app created for the EntraID B2C Tenant. The list of permissions is provided below.
Details
- AuditLog.Read.All
- Directory.Read.All
- Group.Create
- Group.Read.All
- Group.ReadWrite.All
- offline_access
- openid
- User.EnableDisableAccount.All
- User.Export.All
- User.Invite.All
- User.ManageIdentities.All
- User.Read.All
- User.ReadWrite.All
- UserAuthenticationMethod.Read.All
- UserAuthenticationMethod.ReadWrite.All
Gather Necessary Information
To configure EntraID B2C in EmpowerID, you'll need the following information ready for configuration.
| Attribute | Component | Description |
|---|---|---|
| Azure App Service URL | SCIM Microservice Deployed in Azure | This attribute refers to the URL of the SCIM (System for Cross-domain Identity Management) microservice endpoint hosted on Azure App Service. The URL is provided by the EmpowerID DevOps teams and points to where the microservice is deployed. This URL does not include the prefix v1.0 as part of the path. |
| Application ID | The client application configured in the microservice tenant to access the microservice. | This attribute refers to the Application ID of the client application that is configured in the microservice's tenant. This Application ID is used to grant the client application access to the SCIM microservice. The Application ID is provided by the DevOps teams, and it is essential for authentication and authorization purposes. |
| Azure App Certificate Thumbprint | SCIM Microservice Deployed in Azure | This attribute refers to the thumbprint of the certificate used by the SCIM microservice deployed in Azure. The thumbprint is a unique identifier of the certificate that is required to establish secure communication between the client application and the microservice. The client application, which is configured in the microservice tenant, uses this thumbprint to access the microservice securely. The DevOps teams provide this thumbprint. |
| B2C App Service Tenant ID | B2C App Service Tenant ID | The B2C App Service Tenant ID is the unique identifier for a specific Azure B2C instance. It can be retrieved by accessing the Azure B2C instance associated with the client's tenant. |
| EntraID B2C Tenant FQDN | B2C tenant FQDN. | EntraID B2C Tenant FQDN typically refers to the tenant name or the UPN suffix of the client's B2C tenant in Azure. This Fully Qualified Domain Name (FQDN) uniquely identifies the B2C tenant within the Azure environment. |
Step 2 – Create an account store for EntraID B2C
Once you have set up Azure and published the EmpowerID EntraID B2C SCIM microservice to your Azure tenant, you need to connect EmpowerID to the tenant. This connection allows the tenant's user and group information to be managed and synchronized within EmpowerID.
- Log in to the EmpowerID portal.
- On the navbar, expand Admin → Applications and Directories and click Account Stores and Systems.
- Select the Account Stores tab and click on the Create Account Store link.
- Search for and select the EntraID B2C SCIM account store from the System Types menu, then click Submit.
- Provide the following information for the account store and click Submit:
- Account Store Name: Provide a unique and descriptive name for the account store.
- Azure App Service URL: URL for the Microservice EndPoint of EID.( do not prefix v1.0)
- Application ID: The client application configured in the microservice tenant to access the microservice.
- Azure App Certificate Thumbprint: Upload the certificate to the EID portal and provide its thumbprint.
- B2C App Service Tenant ID: The ID of the tenant where the microservice is deployed.
- EntraID B2C Tenant FQDN: The fully qualified domain name (FQDN) of the B2C tenant.
EmpowerID creates the EntraID B2C account store and the associated resource system. The next step is to verify the resource system parameters match your tenant information.
Step 3 – Verify Resource System Parameters
tip
Please note that the values for ApplicationID, AuthCertificateThumbprint, and TenantID are encrypted and that you will not see the values in the user interface.
-
Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.
-
Search for the EntraID B2C SCIM account store you created and click the Account Store link for it.
-
On the Account Store and Resource System page that appears, select the Resource System tab and expand the Configuration Parameters accordion.
-
Verify the following parameters are correct:
| Configuration Item | Description |
|---|---|
| AccessTokenUrl | URL endpoint for obtaining an access token from the EntraID tenant where the microservice is deployed. |
| AuthorizationProviderFullAssemblyName | Fully qualified assembly name of the authentication provider for the microservice. |
| AuthorizationProviderType | Type of the authorization provider for the microservice. |
| AuthorizationUrl | URL for token authorization. |
| AzureAppID | Application ID in Azure configured to access the microservice. |
| AzureTenantID | Tenant ID where the microservice is deployed. |
| certificateThumbPrint | Thumbprint of the certificate configured for accessing the microservice. |
| CreateGroupUrl | URL for creating a new group in the microservice. |
| CreateOrUpdateGroupJsonTemplate | JSON template for creating or updating a group. |
| CreateOrUpdateUserJsonTemplate | JSON template for creating or updating a user. |
| CreateUserUrl | URL for creating a new user in the microservice. |
| ExternalSysSupportGetDeleted | Indicates whether the microservice supports querying deleted items. |
| ExternalSystemSupportIncrementalMember | Indicates whether the microservice supports incremental membership inventory. |
| GetAllDeletedGroupsUrl | URL for retrieving all deleted groups from the microservice. |
| GetAllDeletedUsersUrl | URL for retrieving all deleted users from the microservice. |
| GetDeleteorUpdateGroupByIdUrl | URL for retrieving, deleting, or updating a group by its ID. |
| GetDeleteorUpdateUserByIdUrl | URL for retrieving, deleting, or updating a user by its ID. |
| GetGroupMemberUrl | URL for querying members of a group in the microservice. |
| GetGroupOwnerUrl | URL for querying owners of a group in the microservice. |
| GetNewOrUpdatedGroupsUrl | URL for retrieving newly created or updated groups from the microservice within a specific time range. |
| GetNewOrUpdatedUsersUrl | URL for retrieving newly created or updated users from the microservice within a specific time range. |
| GroupTypeMapping | JSON defining the mapping between source group types and EID’s group types. |
| IdentiityIssuer | Issuer that assigns identities for users created from the EID Portal. |
| IsIncrementalInventory | Indicates whether the microservice supports incremental inventory. |
| IsPagedUsingToken | Indicates if paging supports skipToken. |
| MembershipInboxGroupPageSize | Group page size for membership inventory during initial load. |
| MembershipInboxMemberPageSize | Page size for group inventory during initial load. |
| MembershipInboxParallelProcessingThreshold | Threshold for parallel processing of group membership during initial load. |
| PageSize | Page size used when running a full inventory. |
| QueryGroupsUrl | URL for querying groups in the microservice with pagination support. |
| QueryUsersUrl | URL for querying users in the microservice with pagination support. |
| resetUserPasswordUrl | URL for requesting a password reset for a user in the microservice. |
| Scope | Scope specified when retrieving a token using OAuth authentication. |
| ServiceUrl | Endpoint URL of the microservice. |
- To edit the value of a parameter, click the Edit button for the parameter you want to edit.
- Enter the new value in the Value field and click Save.
After updating the Configuration Parameters, the next step is configuring the Attribute Flow.
Step 4 – Configure Attribute Flow
EmpowerID allows configuring attribute synchronization rules between EntraID B2C and the EmpowerID Identity Warehouse. Attribute flow rules define how attributes are synchronized and can be weighted for prioritization across multiple sources.
Attribute Flow Options
- No Sync: No synchronization occurs between EmpowerID and EntraID B2C.
- Bidirectional Flow: Changes in either system are reflected in the other.
- Account Store Changes Only: Changes made in EntraID sync to EmpowerID but not vice versa.
- EmpowerID Changes Only: Changes made in EmpowerID sync to EntraID but not vice versa.
CRUD Operations
- Create: Creates an attribute if it does not exist.
- Update: Updates an existing attribute.
- Delete: Removes an attribute value.
Configuring Attribute Flow
- Navigate to Account Stores and Systems and locate the newly created EntraID account store.
- Click on the Account Store link.
- Select the Attribute Flow Rules tab.
- Adjust the synchronization direction using the Attribute Flow dropdown.
- Modify CRUD operation scores as needed to prioritize attribute sources. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
- Save your changes.
info
EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and this account store were being inventoried by EmpowerID.
Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.
Step 5 – Configure Account Store Settings
- Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.
- Search for the EntraID B2C account store you created and click the Account Store link to navigate to the details page for it.
- Click the Edit (pencil icon) link to put the account store into edit mode.
- Review the account store settings and adjust them as necessary, then click "Save" upon completion.
| Account Store Settings | |
|---|---|
| Setting | Description |
| General Settings | |
| IT Environment Type | Allows you to specify the type of environment in which you are creating the account store. |
| Account Store Type | Allows you to specify the type of account store you are creating. |
| Option 1 Specify an Account Proxy | Allows you to change the credentials for the account that EmpowerID uses to connect to and manage the account store. |
| Option 2 Select a Vaulted Credential as Account Proxy | Allows you to use a credential that you have vaulted in EmpowerID as the account that EmpowerID uses to connect to and manage the account store. |
| Inventoried Directory Server | Allows you to select a connected server as the directory server for the account store. |
| Is Remote (Cloud Gateway Connection Required) | This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client. |
| Is Visible in IAM Shop | Specifies whether the account store can be used to filter objects relative to the account store, such as groups, to users searching for resources in the IAM Shop. |
| Authentication and Password Settings | |
| Use for Authentication | Specifies whether user credentials in the external system can be used to authenticate to EmpowerID. |
| Allow Search for User Name in Authentication | This setting works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the username entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all Accounts Stores where simple username search is enabled to find the correct username and password combination. |
| Allow Password Sync | Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows. |
| Queue Password Changes | Specifies whether EmpowerID sends password changes to the Account Password Reset Inbox for batch processing. |
| Password Manager Policy for Accounts without Person | Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person. |
| Provisioning Settings | |
| Allow Person Provisioning (Joiner Source) | Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store. |
| Allow Attribute Flow | Specifies whether attribute changes should flow between EmpowerID and the account store. |
| Allow Provisioning (By RET) | Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts but have not yet had them provisioned. |
| Allow Deprovisioning (By RET) | Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision. |
| Max Accounts per Person | This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person. |
| Business Role Settings | |
| Allow Business Role and Location Re-Evaluation | Specifies whether Business Role and Location re-evaluation should occur for the account store |
| Business Role and Location Re-Evaluation Order | Specifies the order of the account store for re-evaluating Business Roles and locations |
| Inventory Auto Provision OUs as IT System Locations | Specifies whether EmpowerID should automatically provision external OUs as IT System locations |
| Inventory Auto Provision External Roles as Business Roles | Specifies whether EmpowerID should provision Business roles for external account store roles |
| Default Person Business Role | Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store. |
| Default Person Location (leave blank to use account container) | Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store. |
| Group Settings | |
| Allow Account Creation on Membership Request | Specifies whether EmpowerID creates user accounts in the account store when an EmpowerID Person without one requests membership within a group belonging to the account store. |
| Recertify External Group Membership Additions as Detected | Specifies whether detected additions to group memberships should trigger recertification. |
| SetGroup of Groups to Monitor for Real-Time Recertification | Specifies the SetGroup to be used for monitoring group membership changes. |
| Directory Clean Up Enabled | |
| Directory Clean Up Enabled | Specifies whether the SubmitAccountTermination permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special OU within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store. |
| Report Only Mode (No Changes) | When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending. This setting only appears when Directory Clean Up Enabled is selected. |
| Special Use Settings | |
| Automatically Join Account to a Person on Inventory (Skip Account Inbox) | Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed. |
| Automatically Create a Person on Inventory (Skip Account Inbox) | Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed. |
| Queue Password Changes on Failure | Specifies whether EmpowerID should send password changes to the Account Password Reset Inbox only when the change fails. |
| Create RBAC Item Level Fulfillment Approval | |
| Inventory Settings | |
| Inventory Schedule Interval | Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes. |
| Inventory Enabled | Allows EmpowerID to inventory the user information in the account store. |
| Inventory Settings | |
| Inbox Inventory Enabled | Allows EmpowerID to inventory the user information in the account store. |
| Inventory Schedule Interval | Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes. |
| Membership Settings | |
| Membership Schedule Interval | Specifies the time span in minutes that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes. |
| Enable Group Membership Reconciliation | Allows EmpowerID to manage the membership of the account store’s groups, adding and removing user to and from groups based on policy-based assignment rules. |
Step 6 – Enable the Account Inbox Permanent Workflow
- On the navbar, expand Infrastructure Admin > EmpowerID Server and Settings and select Permanent Workflows.
- On the Permanent Workflows page, click the Display Name link for Account Inbox.
- On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.
- Check Enabled.
- Click Save to save your changes.
Step 7 – Enable / Disable Inventory & Component Jobs
The connector includes two additional component jobs, namely GroupOwnershipFullInventory and GroupMembershipFullInventory, in addition to the default inventory job. To ensure the inventory runs properly, follow these steps in the correct order:
- Disable Incremental Inventory
- Set
IsIncrementalInventorytoFalse.
- Disable Component Jobs
- Navigate to the Account Store Details page for the account store.
- Scroll to the Additional Jobs Per System section.
- Click the link under the Display Name column for each component job.
- On the inventory details page for each job, uncheck the Is Enabled checkbox to disable the inventory for that component job.
- Click Save.
- Enable and Execute Default Inventory Job
- Return to the Account Store Details page for the account store.
- Click the Edit link to enter edit mode.
- Select the Inventory tab.
- Enter the job's start and end dates in the Start and Stop fields, respectively.
- Select the desired inventory interval (default is every 10 minutes).
- Check Inventory Enabled.
- Click Save.
- Ensure that the job runs successfully.
- Run Additional Component Jobs
- Run the GroupOwnershipFullInventory and GroupMembershipFullInventory jobs.
- Wait until these component jobs have successfully completed.
- Re-enable Incremental Inventory
- Set
IsIncrementalInventorytoTrue.
- Activate Inventory Functionality
- Ensure all inventory functionalities are active.
By following these steps, you will ensure that the inventory process for the EntraID B2C connector runs smoothly and efficiently.
Monitoring Inventory
You can monitor the inventory of users and groups from the Users and Groups tabs of the Account Store Details page. It generally takes three iterations of the inventory job before it is successful.