Azure Ad B2C Users access resources in other directory

Question

I have two directories in Azure. The first one contains all the customers of our company, who are registered in Azure Ad B2C. These users must be separated from the other directory, which contains employees in our company. This second directory which I mentioned, also contains resources such as Key Vaults. These key vaults should be accessible for both employees (Directory 2) and for customers (Directory 1).

The idea was to add the users object_id into the access policy of the Key Vault, so that he could only access that specific Key Vault, and not modify any others. But since some of the users (The ones from Directory 1) are located somewhere else, this is not possible.

Does anyone have a beautiful solution for this problem?

Answer 1

Customers who need direct access to your key vault will need to be added as Guest users in your primary tenant (the one with key vault). B2C users cannot be granted access to resources in another tenant. Adding them as Guest users technically makes them "B2B" users. https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal

Your other option, depending on your architecture, is to have them access key vault through a lightweight proxy API and use the Graph API to access Key Vault SDK or Graph API to access key vault. This won't allow you to manage access directly in key vault though.

API Options

Authorize B2C users in Web API: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-web-api-dotnet?tabs=app-reg-ga

Authorize B2C users in Functions App: https://codemilltech.com/adding-azure-ad-b2c-authentication-to-azure-functions/

Key Vault Access Options

C# Azure Key Vault SDK: https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-net

Graph API for Key Vault: https://docs.microsoft.com/en-us/rest/api/keyvault/

The last option of using Graph API also requires an app registration with key vault access in the primary tenant and you can get a token using the client credentials grant with Microsoft Graph as the scope as described in https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow)