Automate Setting Up Azure AD B2C Identity Experience Framework with Bash

Custom Policy Diagram explained by Microsoft

Introduction

Azure AD B2C is a robust solution for managing identities and access for customer-facing applications. It offers customizable authentication flows through the Identity Experience Framework (IEF), though setting up IEF can be complex and requires expertise.

Azure currently offers two authentication solutions: Microsoft Entra ID and Azure AD B2C. As of now, the Identity Experience Framework is exclusively available with Azure AD B2C, providing comparable customization capabilities for customer-facing applications.

For many, Microsoft’s Tutorial on setting up IEF can be intimidating. Recognizing this, Microsoft created a website to automate the setup, although it occasionally experiences downtime. Meanwhile, the community has developed a repository to automate the setup using PowerShell, which is beneficial if you are proficient in PowerShell scripting. However, our customers primarily operate in a Linux environment using Bash. To address this, I have created a Bash version for seamless integration. Explore it here.

Why Use This Script?

• Scalability: Manually managing Azure AD B2C is unscalable for multiple instances. Automating the setup reduces effort and errors.
• Efficiency: Automation saves time and minimizes errors, enhancing workflow efficiency.
• Bash Alternative: This solution caters to users more comfortable with Bash than PowerShell.
• Consistent Environment: Using VSCode DevContainer ensures consistent performance across environments.
• Security: To safeguard against leaking Azure tenant names and secrets, we dynamically replace these elements within the script using xmlstarlet, enhancing security and maintaining confidentiality.

Prerequisites

• Active Azure Subscription: An active Azure subscription is essential. If you don’t have one, sign up for a free account here.
• Git Installed: Ensure Git is installed and properly configured on your machine.
• Visual Studio Code: Visual Studio Code should be your primary development environment.
• Docker: Docker is required for containerization and consistent environment setup.
• DevContainer Setup: Configure a DevContainer within VSCode for a standardized development process.
• Basic Azure Knowledge: A fundamental understanding of Azure, including how to structure subscriptions and resource groups, is necessary.
• Subscription and Resource Group: Ensure you have created a subscription for this guide, and it should have Microsoft.AzureActiveDirectory registered as a resource provider. Additionally, a resource group must be created under this subscription.
• Global Administrator Role: Verify that you have Global Administrator privileges before executing this script to ensure all operations are permitted.

Step 1: Download the script

• Clone my repo here
• Open the repo in Visual Studio Code
• When prompted, Click on Reopen in Container

Step 2: Create associated resources

• Create Key Vault in the same resource group
• Make sure to add yourself as Key Vault Administrator on IAM tab

• Note the Key Vault Name down
• Note down your Azure account tenant name. You can find it by clicking on crank icon at top right

Step 3: Execute init-b2c-instance.sh

Before executing this, ensure you are a Global Administrator for your Azure account and have a Key Vault Administrator role. Otherwise, you will get this error while running this script

The subscription is not registered to use namespace 'Microsoft.AzureActiveDirectory'

This script does the following:

• Creates an Azure App under your Azure account
• Creates a service principal so that you can perform a headless login. This will come in handy in the upcoming guide to setup IEF templates deployment using Bicep. The service principal username and password will be stored in the Key Vault you created at Step 2.
• Creates a B2C tenant if it does not exist. Make sure your — tenant-name only contains alphanumeric characters (so instead of contoso-inc, do contosoinc). You can validate your tenant name in Azure AD B2C creation screen

• Associates service principal to the newly created B2C tenant

To run this script, open a VSCode terminal. Make sure to exclude .onmicrosoft.com on tenant-name:

cd auth
--------------------------
chmod +x ./scripts/init-b2c-instance.sh
--------------------------
./scripts/init-b2c-instance.sh --app-name <your-app-name-here> \
--subscription <your-azure-subscription-id> \
--resource-group <your-resource-group-id> \
--root-tenant-name <your-tenant-name-in-step-2> \
--vault-name <vault-name-in-step-2> \
--tenant-name <your-azure-ad-b2c-instance-name>

It will first open a browser prompt for you to login

After login, the script will keep running; in the end, you will be prompted to accept permissions. Click Accept

When the script is done, go into your Key Vault (ensure you have Key Vault Administrator for this resource) and note down ServicePrincipalClientId and ServicePrincipalClientSecret

Step 4: Execute setup-b2c-instance.sh

This script automates the Microsoft tutorial guide listed here with a twist that uploads bare minimum base policies (without social sign-ins but you can always add them in at any time) so that you can start using Identity Experience Framework

To run this script, on the same VSCode terminal. Make sure to exclude .onmicrosoft.com on tenant-name

Sometimes, Azure AD B2C takes time to propagate App Registrations so you might found errors like this “It looks like the application ‘f1d37800–7790–4d9d-809d-ed089156284a’ you are trying to use has been removed or is configured to use an incorrect application identifier”.

Just simply retry the script again and it should work for you.

chmod +x ./scripts/setup-b2c-instance.sh
--------------------------
export SERVICE_PRINCIPAL_CLIENT_ID=<enter-the-ServicePrincipalClientId-from-step-2>
export SERVICE_PRINCIPAL_CLIENT_SECRET=<enter-the-ServicePrincipalClientSecret-from-step-2>
--------------------------
./scripts/setup-b2c-instance.sh --root-tenant-name <your-tenant-name-in-step-2> \
--root-subscription <your-azure-subscription-id> \
--tenant-name <your-azure-ad-b2c-instance-name>

Again, you will be prompted to select the Sign In option to Azure. After signing in, it is entirely smooth sailing

Congratulations, you are ready to develop with Identity Experience Framework 🎉

Step 5 (Optional): Create a SendGrid Verification Flow

Below is an example of how you can use Sendgrid to send verification emails with a One-time Passcode (OTP)

Before running the deploy-sendgrid-flow.sh script, you should sign up and set up Sendgrid. Create an email template with parameters {{ otp }} . Similar to this:

Also, create a Sendgrid API Key and note it down. On the VSCode terminal, make sure you are under auth/

chmod +x ./scripts/deploy-sendgrid-flow.sh
--------------------------
export SERVICE_PRINCIPAL_CLIENT_ID=<enter-the-ServicePrincipalClientId-from-step-2>
export SERVICE_PRINCIPAL_CLIENT_SECRET=<enter-the-ServicePrincipalClientSecret-from-step-2>
export TENANT_NAME=<your-azure-ad-b2c-tenant-name-without-onmicrosoft.com>
export SENDGRID_TEMPLATE_ID=<your-sendgrid-template-id>
export SENDGRID_FROM_EMAIL=<your-sendgrid-from-email>
export SENDGRID_SECRET=<your-sendgrid-secret>
export CALLBACK_URL=<this-is-optional>
--------------------------
./scripts/deploy-sendgrid-flow.sh

This script does the following

1. Register API Client Application which can be used for OIDC flow. You would need to manually create Client ID and Secret when integrating with your application (this could be automated by creating another script)
2. Upload Sendgrid API Key to Policy Keys
3. Upload all the custom policies.

After it is done, you can navigate to Identity Experience Framework tab in Azure AD B2C, click on B2C_1A_DISPLAYCONTROL_SENDGRID_SIGNIN

Select reply url as the one you have entered in the step above or https://jwt.ms by default. Click ‘Run now’. Navigate to Sign up now your account. You should see the new email via Sendgrid with the template you’ve just created when you verify your email.

Conclusion

Azure AD B2C is a powerful authentication tool, though it requires some setup effort. This guide aims to simplify the process, helping you avoid common obstacles. Stay tuned for a future guide on automating continuous deployment with Bicep!