Azure AD B2C based single sign-on

Use this guide if you want to configure the Azure AD B2C based single sign-on capability of the WordPress + Microsoft Office 365 / Azure AD plugin.

Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. See https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview for details.

If you are in doubt whether you should configure Azure AD B2C based single sign-on or just single sign-on then please refer to the plugin's  default single sign-on configuration guide

What you can expect

When you configure the WPO365 | LOGIN plugin to use Azure AD B2C support, the WPO365 | LOGIN plugin will redirect users to the Azure AD B2C endpoint for authorization and to obtain an ID token 

https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize

Please note that the plugin currently does not support requesting access tokens (this is especially true if you add social identity providers). Integration with Microsoft Graph for the Azure AD B2C tenant, however, is still possible when you register an new App registration and configure it for app-only integration (see https://docs.wpo365.com/article/101-app-only-integration for details and implementation).

Before you start

• You have reviewed the installation prerequisites and have installed and activated the WPO365 | LOGIN plugin (see Getting started - Installation).
• In order to support Azure AD B2C you must have at least purchased the WPO365 | LOGIN+ extension or any of the bundles ( WPO366 | SYNC or WPO365 | INTRANET).
• You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or you have at least obtained approval for your plans from your company's Global Administrator ).
• You are an Administrator for your WordPress website.
• Your website uses SSL and the internet address starts with https://.

Important information

When you configure Azure AD B2C based single sign-on (as opposed to regular Azure AD based single sign-on) some capabilities may no longer work as expected e.g. Microsoft 365 Apps, Roles + Access or User sync.

Whether or not these capabilities can be used or not must be established from case to case and may depend on your configuration / customization of Azure AD B2C.

Azure AD B2C

The steps to configure Azure AD B2C are basically beyond the scope of the WPO365 documentation. The following steps, however, are presented as a reference implementation. Some remarks are added that outline important steps that you should use to verify your own Azure B2C configuration.

• Create an Azure AD B2C tenant (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant).
• Register your WordPress website in Azure AD B2C by creating an App registration (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications).

When you register your WordPress website in Azure AD B2C you must add your website's address under Redirect URI.

Ensure that on the App registration's Authentication page, under Implicit grant, select both the  Access tokens and  ID tokens check boxes (see  https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).

• Create at least a (recommended) sign-in and sign-up user flow (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow).
• Ensure that you either disabled the password reset option or otherwise add a password reset policy (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow).

Plugin configuration

Once you have created an Azure AD B2C tenant, registered your WordPress website in that Azure AD B2C tenant and created at least one user flow you configure the WPO365 | LOGIN plugin to allow users to sign in with Azure AD B2C using your (custom) policy and login form.

• Go to WordPress Admin > WPO365 > Single Sign-on and click to Show advanced configuration options.
• Also check the option to Use Azure AD B2C.
• In another browser tab open Azure Portal and select your Azure AD B2C tenant (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory for details steps), click All services and search for Azure AD B2C. 
• Click App registrations and search for the App registration that you created when you registered your WordPress website with Azure AD B2C.
• Go to the application registration’s Overview page and copy the Directory ID and paste it into the corresponding field on the plugin’s wizard Single Sign-on page in the first browser tab.
• Repeat the previous step and copy the Application ID and paste it into the corresponding field on the plugin’s wizard Single Sign-on page.
• Switch back to the browser tab with Azure Portal still open and navigate back up to Azure AD B2C and click Authentication.
• Ensure that the Redirect URI entered here matches exactly with the Redirect URI that you have entered / is automatically proposed on the plugin's wizard Single Sign-on page.
• In the browser tab with Azure Portal open, navigate back up to Azure AD B2C and click Overview.
• Copy the (first segment) of the Domain name e.g. wpo365connect when the domain name shown is wpo365connect.onmicrosoft.com and past it into the corresponding field on the plugin's wizard Single Sign-on page.
• Click User flows and copy the name of the user flow (custom) policy e.g. B2C_1_signup_signin_1 and past it into the corresponding field on the plugin's wizard Single Sign-on page.

Sample configuration for Azure AD B2C for WordPress

• To test the configuration go to WordPress Admin > WPO365 > Plugin self-test and click Start test.

Troubleshooting

Missing password reset policy

When you receive an error similar to the following error 

[...] Wpo\Services\Router_Service::route_openidconnect_error -> AADB2C90118: The user has forgotten their password. Correlation ID: [...]

Then ensure that you either disabled the password reset option or otherwise add a password reset policy (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow).

Missing implicit grants

When you receive an error similar to the following error

[...] Wpo\Services\Router_Service::route_openidconnect_error -> AADB2C90057: The provided application is not configured to allow the \'OAuth\' Implicit flow. Correlation ID: [...]

Then ensure that on the App registration's Authentication page, under Implicit grant, both the  Access tokens and  ID tokens check boxes are checked (see  https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).