EmpowerID offers a connector specifically designed for Azure AD B2C integration. Administrators can utilize this connector to establish a seamless connection between EmpowerID and their Azure AD B2C system. This connection creates an account store within the EmpowerID Identity Warehouse, serving as a central hub for configuring how EmpowerID manages identity information within the Azure AD B2C system.
Step 1 – Create an account store for Azure AD B2C
Once you have set up Azure and published the EmpowerID Azure AD B2C SCIM microservice to your Azure tenant, you will need to connect EmpowerID to the tenant. This connection will allow that tenant's user and group information to be brought into EmpowerID, where it can be easily managed and synchronized with data in any connected back-end user directories. Please follow the instructions below to create an account store for your organization’s Azure AD B2C instance,
Log in to the EmpowerID portal.
On the navbar, expand Admin → Applications and Directories and click Account Stores and Systems.
Select the Account Stores tab and click on the Create Account Store link.
To continue, please search and choose the Azure AD B2C SCIM account store from the System Types menu. Once selected, click on the submit button.
Please provide the following information related to the account store and click on submit to create the account store.
Account Store Name: Provide a unique and descriptive name for the account store.
Azure App Service URL: URL for the Microservice EndPoint of EID.( do not prefix v1.0)
Application ID: The client application configured in the microservice tenant to access the microservice.
Azure App Certificate Thumbprint: Upload the certificate to the EID portal and provide its thumbprint.
B2C App Service Tenant ID: The ID of the tenant where the microservice is deployed.
Azure AD B2C Tenant FQDN: The fully qualified domain name (FQDN) of the B2C tenant.
EmpowerID creates the Azure AD B2C account store and the associated resource system. The next step is to verify the resource system parameters match your tenant information.
Step 2 – Verify Resource System Parameters
Please note that the values for ApplicationID, AuthCertificateThumbprint, and TenantID are encrypted and that you will not see the values in the user interface.
Navigate to the Account Stores and Systems, and Select the Account Stores tab, as mentioned in the previous step.
Kindly search for and select your previously created account store.
This directs you to the Account Store and Resource System page for the Azure AD account store EmpowerID created for the tenant. This page contains several tabs related to the account store that you can access to view and manage the account store and resource system.
Select the Resource System tab, find and expand the Configuration Parameters accordion at the bottom of the page.
Verify the following parameters are correct for your account store.
Configuration Item
Description
AccessTokenUrl
The URL endpoint for obtaining an access token from Azure AD tenant where the microservice is deployed.
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
AuthorizationProviderFullAssemblyName
The fully qualified assembly name of the authentication provider for the microservice.
SCIMAzureB2cConnector, Version=4.0.180.1, Culture=neutral, PublicKeyToken=2d2253f74d4496ef
AuthorizationProviderType
The type of the authorization provider for the microservice.
TheDotNetFactory.Framework.ClassLibrary.AzureB2CSCIMAuthenticationProvider
AuthorizationUrl
The URL for token authorization.
https://login.microsoftonline.com/<tenant>/oauth/v2/authorize
AzureAppID
The client application's App ID in azure that is configured to access the microservice.
AzureTenantID
The ID of the tenant where the microservice is deployed.
certificateThumbPrint
The thumbprint of the certificate configured for accessing the microservice.
CreateGroupUrl
The URL for creating a new group in the microservice.
<MicroService EndPoint>/v1.0/groups
CreateOrUpdateGroupJsonTemplate
The JSON template for creating or updating a group.
{ "urn:ietf:params:scim:schemas:extension:azureAdGroup:2.0:Group": { "securityEnabled": "" }, "type": "", "description": "", "displayName": "", "externalId": "" }
CreateOrUpdateUserJsonTemplate
The JSON template for creating or updating a user.
{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "name": { "familyName": "", "givenName": "" }, "displayName": "", "emails": [ { "type":"work", "value":"" }, { "type":"other", "value":"" } ], "phoneNumbers": [ { "type":"mobile", "value":"" }, { "type":"work", "value":"" }, { "type":"fax", "value":"" }, { "type":"other", "value":"" } ], "password":"", "externalId":"", "userName":"", "addresses": [ { "type": "work", "streetAddress": "", "locality":"", "region":"", "country":"", "postalCode":"" } ,{"formatted": "","type": "other"} ], "city":"", "state":"", "country":"" }
CreateUserUrl
The URL for creating a new user in the microservice.
<Microservice Endpoint>/v1.0/users
ExternalSysSupportGetDeleted
Indicates whether the microservice supports querying deleted items.Should be set to true if Microservice supports Deleted query. The default value is set to True.
ExternalSystemSupportIncrementalMember
Indicates whether the microservice supports incremental membership inventory. The default value is set to True.
GetAllDeletedGroupsUrl
The URL for retrieving all deleted groups from the microservice.
<MicroService EndPoint>/v1.0/groups/EIDExtension/Deleted?Filter=AuditLogStartTime eq {0} and AuditLogEndTime eq {1}
GetAllDeletedUsersUrl
The URL for retrieving all deleted users from the microservice.
<MicroService EndPoint>/v1.0/Users/EIDExtension/Deleted?Filter=AuditLogStartTime eq {0} and AuditLogEndTime eq {1}
GetDeleteorUpdateGroupByIdUrl
The URL for retrieving, deleting, or updating a group by its ID.
<MicroService Endpoint>/v1.0/Groups/{0}
GetDeleteorUpdateUserByIdUrl
The URL for retrieving, deleting, or updating a user by its ID.
<MicroService Endpoint>/v1.0/Users/{0}
GetGroupMemberUrl
The URL for querying members of a group in the microservice.
<MicroService EndPoint>/v1.0/groups/EIDExtension/MemberQuery/{0}?Count=999
GetGroupOwnerUrl
The URL for querying owners of a group in the microservice.
<MicroService EndPoint>/v1.0/groups/EIDExtension/OwnerQuery/{0}?Count=999
GetNewOrUpdatedGroupsUrl
The URL for retrieving newly created or updated groups from the microservice within a specific time range.
<MicroService EndPoint>/ v1.0/groups/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {0} and AuditLogEndTime eq {1} and AuditLogPageSize eq 300
GetNewOrUpdatedUsersUrl
The URL for retrieving newly created or updated users from the microservice within a specific time range.
<MicroService EndPoint>/v1.0/users/EIDExtension/NewOrUpdated?Filter=AuditLogStartTime eq {0} and AuditLogEndTime eq {1} and AuditLogPageSize eq 300
GroupTypeMapping
JSON that defines the mapping between source group types and the EID’s group types.
{"Unified": "Office 365 Group","Security": "SecurityGlobal"}
IdentiityIssuer
The issuer that assigns identities for users created from the EID Portal.
IsIncrementalInventory
Indicates whether the microservice supports incremental inventory. Default is set to True (Should be set to false when running full inventory).
IsPagedUsingToken
True if paging supports skipToken
MembershipInboxGroupPageSize
Group page size for Membership inventory during initial load
MembershipInboxMemberPageSize
The page size for group inventory during the initial load.
MembershipInboxParallelProcessingThreshold
The threshold for parallel processing of group membership during the initial load.
PageSize
The page size used when running a full inventory.
QueryGroupsUrl
The URL for querying groups in the microservice with pagination support.
<MicroService EndPoint>/v1.0/groups/EIDExtension/Paged{0}
QueryUsersUrl
The URL for querying users in the microservice with pagination support.
<MicroService EndPoint>/v1.0/users/EIDExtension/Paged{0}
resetUserPasswordUrl
The URL for requesting a password reset for a user in the microservice.
/v1.0/users/EIDExtension/PasswordResetRequest
Scope
The scope specified when retrieving a token using OAuth authentication.
ServiceUrl
The endpoint URL of the microservice.
Microservice Endpoint
To edit the value of a parameter, click the Edit button for the parameter you want to edit.
Enter the new value in the Value field and click Save.
After updating the Configuration Parameters, the next step is configuring the Attribute Flow.
Step 3 – Configure Attribute Flow
EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store. The following flow rules are available: No Sync 🔴 – When this option is selected, no information flows between EmpowerID and the native system. Bidirectional Flow Account Store Changes Only EmpowerID Changes Only The following CRUD operations are available: Create – This operation is used to create an attribute value for an existing attribute when the value of that attribute is null. Update – This operation is used to update the value of an attribute. Delete – This operation is used to delete the value of an attribute. From the Account Stores tab of the Account Stores and Systems page, search for the account store you just created and click the Account Store link for it. Click the Attribute Flow Rules tab to view the current rules for the account store. Please note that the attributes available depend on the account store. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory. EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and this account store were being inventoried by EmpowerID.
– When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting. – When this option is selected, changes can only be made in the native system and are then passed to EmpowerID. – When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
Now that you have set up the attribute flow in EmpowerID, the next steps involve configuring the account store and enabling EmpowerID to inventory it.