Hi Daniel, Thank you for an excellent project. I have watched the following videos: Welcome to Cloud Pharmacy: Cloud Pharmacy on the Azure cloud - trailer Cloud Pharmacy on the Azure cloud - General Architecture: Introduction to concept and solution architecture: Cloud Pharmacy on the Azure cloud - Verifiable Credentials: Patient verification using Azure AD Verifiable Credentials Are there any other videos or articles that describe how you created this project, how I can develop / run this project on my local machine, and how I can deploy to Azure? Kind Regards Walter
@nuskyfaizal918717 күн бұрын
Could you share the Source Code please
@nryttv318 күн бұрын
Great video! How can this be handled in scenario where end user doesnt click logout but just closes the browser?
@AshishPatel-dw1bi27 күн бұрын
Hi, I will followed your steps but still not get to get single sign out for another application. so can you please give share check points to confirm? If needed, will you be available on demand hourly bases? Thank you
@niteshsetinАй бұрын
Hi, i am stuck in a problem , if user open blazor wasm app multiple tabs and log out from one of tabs then it is still logged in in another tabs. Please let me know how can i solve this or any video you can share
@user-fz2gk9nh8h12 күн бұрын
have to done this please explain me getting the same
@niteshsetin12 күн бұрын
@@user-fz2gk9nh8h I have achieved this using blazor wasm and local storage
@suleimanobeid9995Ай бұрын
customer tenant called now External
@vykintaskelecius4601Ай бұрын
How can we see the code?
@Krytiical2 ай бұрын
@TechMindFactory Hi Daniel, can you provide some more explanation for the Postgres setup? I do not have much Azure knowledge. I'm following this video and I created the Azure Postgres server and the OpenFGA container app. 1. Do I need to run the migrate command against the Azure Postgres server? If I do, how do I do this? 2. I am checking the log stream for the Azure container app, it says OpenFGA playground has started on localhost. Does that mean OpenFGA is setup correctly with Azure Postgres? I didn't run the migrate command or setup any datastore. Do I need to run those commands? 3. How do I access the playground hosted in Azure? Thanks!
@aysayko2 ай бұрын
How can I create login for external users with credentials to my applications
@anilpatelce2 ай бұрын
Same question- can you share git repo which contains this template and PS script
@TheCoflo2 ай бұрын
I am currently trying to implement this in a multitenant app. Have you had any experience with this? I have not been able to get it to work for multitenant apps yet.
@subhajitmitra44562 ай бұрын
Is Nonce not possible for man in the middle attack??
@DreamWalker8863 ай бұрын
For B2B case, how do I only enable invitation only without allowing self-signup?
@DreamWalker8863 ай бұрын
Also, if we decide to use Multiple tenants scenario, how do we add the second tenant to the identify providers? what if the app accesses an api? how does the app work with the api with several tenants?
@DreamWalker8863 ай бұрын
For B2B scenario, do you have examples of redirect urls? we keep getting invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
@mostafaameen89793 ай бұрын
Please, sir, I was shown verification by work email, then I entered my personal email, and the verification email did not appear to me again. How do I get it and then this message comes to me (You don't have verifications, such as verified work email, associated with your account yet. Learn more about verifications.)
@jorgenamour11843 ай бұрын
Excellent content! Thank you so much! I have a question, is it possible to create an API that, depending on the user profile, returns the directories/files that the user has access to in a datalake?
@olduniverse92703 ай бұрын
I created. a multiteant application. Users from other tenants can log in. But also I want allow to users from my tenant to log in? How to do this? I added a .gmail account as user to my tenant but. can't log in.
@user-xx9oe5jy4d3 ай бұрын
Hi, in your Blazor web assembly app, how to you connect the login button to this Entra external ID ? Many thanks for the video, really usefull!
@PrivacyTwin3 ай бұрын
Is it possible to build your own remote authenticator app where key pair is generated in secure enclave or TPM?
@edemfromeden54324 ай бұрын
Hi, I’m confused about the demo part. You show that you have assigned two delegated permissions to the app registered in Entra yet the code snippet within the json code block shows that you use the a secret I guess one created in the app registration blade for that app. My question is why. I mean wouldn’t the use of the app id plus secret indicate that I’m going to use the client credentials flow where the app authenticates with its own creds to Entra ? With the delegates app roles set isn’t the app acting on behalf of the user so wouldn’t the token contain claims for the subject which in this would be the user ? Could you please explain? Thank you
@irvinwaldman42334 ай бұрын
Do you maintain a GitHub repository for the projects mentioned in your videos?
@ArminBoe4 ай бұрын
Absolutely great 👍 thank you
@user-ji7fw4el2z4 ай бұрын
Hi, It was a good video. Can you please share the custom policy which you have used for SSO?
@gowravsingh41354 ай бұрын
Thank you so much for sharing the knowledge in such a way that is pretty easy to understand
@bangjiyun4 ай бұрын
This is SSO Sp-Initiated. Does AAD B2C support IdP-Initiated SSO?
@samjohnson52034 ай бұрын
Decent video, thank you! Would be interesting to see where you set those claims. Seems like I missed that part. An important point for potential viewers (that gets mentioned eventually): This approach allows us to customize both the Id and Access tokens. I'm very excited to see Microsoft moving in a better direction with their Identity Platform offerings. Entra Id for External Customers is, so far, a much better implementation than Azure AdB2C.
@turcanuandrei83075 ай бұрын
Hi, this video is great, I learned a lot from this, but I have one question, after registering my application as a multi-tenant one and creating logic around granting consent for tenants. I am facing the issue that users from the Customer tenant can't log in to my application, the error says: "Selected user account does not exist in tenant 'Home Tenant' and cannot access the application '123' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account." Is there a way for users from Customer tenants to log in to my application without being invited as a guest to my tenant? P.S. The Service Principle(Instante) of my application is created in Customer Tenant.
@turcanuandrei83074 ай бұрын
issue fixed, dont forget to specify "organisations" or "common" instead of tenantId value in appsetting.json
@rickfiji44865 ай бұрын
Great video! Would you be able to upload your source code?
@tamiros5 ай бұрын
hi great video and amazing explanation. but i don't understand, it is not possible to provide access only to specific tenanat (organization) ?
@alvin02_2_5 ай бұрын
Hello, thank you for these well detailed videos. I have a few questions if you do not mind. 1. What features in the creation of Single-Tenant Application makes an Application either B2B or B2C? 2. If personal Microsoft accounts, Google and Facebook accounts from External IDPs can be used for Single Tenant application with B2B features, how is Single Tenant B2B application different from Single Tenant B2C applications?. 3. You said an external user can sign-up to a Single Tenant B2B application using onetime password code for sign up, the external user account is then created as guest account in the Home Entra ID tenant for the B2B application. How will this user subsequently sign in to this B2B application, or what is the auth flow for subsequent sign in since the user does not require password? Thank you and I look forward to your answers.
@TechMindFactory5 ай бұрын
Hi, Thank you for watching! Here are the answers - I hope they will be useful. 1. I would say this is more about the approach rather than specific features. Here is the thing. Single tenant application is created in your Microsoft Entra ID corporate tenant. You can invite guest users and grant them access to this application. You can also enable "self-service sign-up" using user flows so users can sign up and then access your application. However, please remember that B2B is more about corporate Microsoft Entra ID tenants and for B2C scenarios it is recommended to use Azure AD B2C which is separate tenant and service. The most important question is this: "Do I want all customer accounts land in my corporate tenant?". In most cases answer is no. You want to have this isolation so your corporate partner accounts land in Microsoft Entra ID tenant (corporate one) and for customer solutions you use separate tenant - Azure AD B2C. 2. Good question. Partially I answered in m the first point above. This is not about features specifically, it is more about architecture decision. Typically you create separate Azure AD B2C tenant to handle customer (B2C) use cases. You have isolation for accounts, you can customize authentication options (Google, Facebook, others) and you can customize what is included in the tokens issued to applications. You have to differentiate who should be treated as "partner" of your organization (B2B scenario) and to which corporate resource such person should have access to, and who should be treated as a customer (B2C). 3. For users which registered using one time passcode (or one time password) the flow stays exactly the same. Once you registered and you want to access the application once again, you have to provide your email address and then new one-time passcode will be sent to your email. It means that if you are authenticated and your session is still active, you can access the B2B application. If your session is expired, you have to go through the process again (get new code sent to your email). Small fragment from docs: "User sessions expire after 24 hours. After that time, the guest user receives a new passcode when they access the resource.". I hope this clarifies a bit!
@alvin02_2_5 ай бұрын
Hello, thank you for these well detailed videos. I have a few questions if you do not mind. 1. What features in the creation of Single-Tenant Application makes an Application either B2B or B2C? 2. If personal Microsoft accounts, Google and Facebook accounts from External IDPs can be used for Single Tenant application with B2B features, how is Single Tenant B2B application different from Single Tenant B2C applications?. 3. You said an external user can sign-up to a Single Tenant B2B application using onetime password code for sign up, the external user account is then created as guest account in the Home Entra ID tenant for the B2B application. How will this user subsequently sign in to this B2B application, or what is the auth flow for subsequent sign in since the user does not require password? Thank you and I look forward to your answers.
@TechMindFactory5 ай бұрын
Hi, Thank you for watching! Here are the answers - I hope they will be useful. 1. I would say this is more about the approach rather than specific features. Here is the thing. Single tenant application is created in your Microsoft Entra ID corporate tenant. You can invite guest users and grant them access to this application. You can also enable "self-service sign-up" using user flows so users can sign up and then access your application. However, please remember that B2B is more about corporate Microsoft Entra ID tenants and for B2C scenarios it is recommended to use Azure AD B2C which is separate tenant and service. The most important question is this: "Do I want all customer accounts land in my corporate tenant?". In most cases answer is no. You want to have this isolation so your corporate partner accounts land in Microsoft Entra ID tenant (corporate one) and for customer solutions you use separate tenant - Azure AD B2C. 2. Good question. Partially I answered in m the first point above. This is not about features specifically, it is more about architecture decision. Typically you create separate Azure AD B2C tenant to handle customer (B2C) use cases. You have isolation for accounts, you can customize authentication options (Google, Facebook, others) and you can customize what is included in the tokens issued to applications. You have to differentiate who should be treated as "partner" of your organization (B2B scenario) and to which corporate resource such person should have access to, and who should be treated as a customer (B2C). 3. For users which registered using one time passcode (or one time password) the flow stays exactly the same. Once you registered and you want to access the application once again, you have to provide your email address and then new one-time passcode will be sent to your email. It means that if you are authenticated and your session is still active, you can access the B2B application. If your session is expired, you have to go through the process again (get new code sent to your email). Small fragment from docs: "User sessions expire after 24 hours. After that time, the guest user receives a new passcode when they access the resource.". I hope this clarifies a bit!
@davidwithers71815 ай бұрын
Does this mean if they go from their browser to the 3rd party application. The 3rd parties idp will require them to authenticate if there is no valid 3rd party cookie?
@TechMindFactory5 ай бұрын
It depends. Here is the thing. If this 3rd party application is secured by IDP that is federated with Azure AD B2C and user signed in before using account registered in this 3rd party IDP, then user will not have to provide credentials again. However, if user opens 3rd party application and is using separate IDP (not federated with Azure AD B2C and not used before), then user is asked for credentials to successfully authenticate. Please let me know if this answers your question.
@user-bo5nr9nw9p5 ай бұрын
Hi Danial, Great session. Do you have the sample application code repository in Github?
@amrmekawy68745 ай бұрын
Great Content, Thanks !
@TechMindFactory5 ай бұрын
Thank you!
@jeevarp55625 ай бұрын
It appears that I am encountering difficulties in granting admin consent for the API permission named "Auditlog.read.all" (Application type) using both C# code and Postman . Despite attempts, the process seems to be unsuccessful, raising questions about the possibility of granting admin consent without direct user interaction UI or login give accept on browser . I am seeking clarification on whether it is feasible to provide admin consent for this API permission programmatically, either through C# code or Postman, without the need for manual login with admin credentials. I again make sure as mention developer using api with (tenant ID client ID object ID). with this also, I am not able to give grant admin consent. without login like give Accept pop or login consle UI
@narutorahat47695 ай бұрын
thanks
@uchennanwafor98105 ай бұрын
This video is very helpful. How can i get the scripts used for this deployment
@frankguilain26026 ай бұрын
I was viewing again this video and looked at the ID Token in the context of my azure B2C tenant lab. Local users and external AD users have ID token referencing my B2C tenant in their tid and iss claims. Is it the normal behaviour ? I wanted to use this information to know from which tenant of our partners they were coming and use this information yo give some permissions. But I can not like this. And I see there is no UPN claim. I'm using custom policies issued from the templates socialandlocalaccounts that I customised to add federation with EntraID. Could be the reason ? Thank you .
@TechMindFactory6 ай бұрын
Yes, with Azure AD B2C situation is a little bit different. In the custom policies you have the technical profile for your external identity federation. In this technical profile you can map claims from the federated identity provider. Here are examples how you can get claims from the external IDP: <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid" /> <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" /> <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" /> Abve you can see that I map "iss" claim from external IDP to "identityProvider" claim that will be returned in the token from the Azure AD B2C. I hope this clarifies a bit!
@s.bandera6 ай бұрын
Thanks!
@TechMindFactory6 ай бұрын
Thank you!
@lelandcrincoli17426 ай бұрын
Promo-SM 👍
@mayrinvarkey91346 ай бұрын
If we are using Saml 2 instead of OIDC how can I redirect to to a url. Do I still rely on post_logout_redirect_uri?
@TechMindFactory6 ай бұрын
For SAML service providers, configure the application with the SingleLogoutService location in its SAML metadata document. You can also configure the app registration logoutUrl. Please read here, there are details for both OIDC and SAML: learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-your-application
@sushanth5876 ай бұрын
What is _userSessionStateService, where did you reference the variable and what does the UpdateSessionState do, can you share the code snippet please
@arqammalik49247 ай бұрын
Hi can you please guide me how can i do SiginType as a "UserPrincipleName" i have a c# code to perform bulk create but when i try with signinType "userPrincipleName" it throws null reference error please guide
@TechMindFactory7 ай бұрын
If I understood correctly, you would like to create Azure AD B2C users using Microsoft Graph API and C#. Please take a look here: learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=csharp#example-1-create-a-user
@user-mp4iw5on6g7 ай бұрын
I am having a SPA apps and doing the same steps as described. In front channel logout URL i am loading msal.js and trying to logout of b2c. however localStorage or sessionStorage is not shared when loaded via frontchannel logout url. If i directly launch front channel logout url then B2C logout happens but not when loaded in a . Do you know what could be wrong? is front channel logout not supported for SPA's?
@TechMindFactory7 ай бұрын
It looks like this is the problem with cookie access. Do you have "SameSite" set to none for your cookie?
@ciro.ibanez_work7 ай бұрын
Great video!
@TechMindFactory7 ай бұрын
Thank you so much!
@shaleen61637 ай бұрын
Hey is there any issue while varification with official email id bcs i m working in MNC there are security policy. is safe or not? please reply Thank you in advance.
@TechMindFactory7 ай бұрын
I do not see any issue here. Once you do identity verification with additional steps required by your organization's security policies, you can issue VC and confirm workplace.
@larrycovert44187 ай бұрын
Great video series. I'm interested in how you implemented both phone and TOTP MFA for the same application. Multiple places I've read say this isn't possible. Thanks!
@TechMindFactory7 ай бұрын
Thank you for watching and kind words! When it comes to two MFA methods for the same application. Let me ask to clarify. Do you want to give the user option to choose between two available MFA options (like SMS and Authenticator)? So the next time user uses one of them during the authentication process? Please provide more details for your scenario. Having multiple MFA options is 100% possible with the custom policies - I can confirm this. :)
@larrycovert44187 ай бұрын
@@TechMindFactory Thanks for the quick response. Ideally, at the time of sign-up, the user would be able to choose their preferred MFA method (Email, SMS, or TOTP) and then use that method from that point forward. If I can offer the choice between all three methods, great, but if only two (SMS and TOTP) are possible, that's OK. Thank you!