You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|[Force password reset](force-password-reset.md)| Preview | NA ||
37
-
|[phone sign-up and sign-in](phone-authentication-user-flows.md)| GA | GA ||
37
+
|[Phone sign-up and sign-in](phone-authentication-user-flows.md)| GA | GA ||
38
+
39
+
## OAuth 2.0 application authorization flows
40
+
41
+
The following table summarizes the OAuth 2.0 and OpenId Connect application authentication flows that can be integrated with Azure AD B2C.
42
+
43
+
|Feature |User flow |Custom policy |Notes |
44
+
|---------|:---------:|:---------:|---------|
45
+
[Authorization code](authorization-code-flow.md) | GA | GA | Allows users to sign in to web applications. The web application receives an authorization code. The authorization code is redeemed to acquire a token to call web APIs.|
46
+
[Authorization code with PKCE](authorization-code-flow.md)| GA | GA | Allows users to sign in to mobile and single-page applications. The application receives an authorization code using proof key for code exchange (PKCE). The authorization code is redeemed to acquire a token to call web APIs. |
47
+
[Client credentials grant](https://tools.ietf.org/html/rfc6749#section-4.4)| GA | GA | Allows access web-hosted resources by using the identity of an application. Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. <br /> <br /> To use this feature in an Azure AD B2C tenant, use the Azure AD endpoint of your Azure AD B2C tenant. For more information, see [OAuth 2.0 client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). This flow doesn't use your Azure AD B2C [user flow or custom policy](user-flow-overview.md) settings. |
48
+
[Device authorization grant](https://tools.ietf.org/html/rfc8628)| NA | NA | Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. |
49
+
[Implicit flow](implicit-flow-single-page-application.md) | GA | GA | Allows users to sign in to single-page applications. The app gets tokens directly without performing a back-end server credential exchange.|
50
+
[On-behalf-of](../active-directory/develop/v2-oauth2-on-behalf-of-flow.md)| NA | NA | An application invokes a service or web API, which in turn needs to call another service or web API. <br /> <br /> For the middle-tier service to make authenticated requests to the downstream service, pass a *client credential* token in the authorization header. Optionally, you can include a custom header with the Azure AD B2C user's token. |
51
+
[OpenId Connect](openid-connect.md) | GA | GA | OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user. |
52
+
[OpenId Connect hybrid flow](openid-connect.md) | GA | GA | Allows a web application retrieve the ID token on the authorize request along with an authorization code. |
53
+
[Resource owner password credentials (ROPC)](add-ropc-policy.md) | Preview | Preview | Allows a mobile application to sign in the user by directly handling their password. |
54
+
55
+
### OAuth 2.0 options
56
+
57
+
|Feature |User flow |Custom policy |Notes |
58
+
|---------|:---------:|:---------:|---------|
59
+
|[Redirect sign-in to a social provider](direct-signin.md#redirect-sign-in-to-a-social-provider)| GA | GA | Query string parameter `domain_hint`. |
60
+
|[Prepopulate the sign-in name](direct-signin.md#prepopulate-the-sign-in-name)| GA | GA | Query string parameter `login_hint`. |
61
+
| Insert JSON into user journey via `client_assertion`| NA| Deprecated ||
62
+
| Insert JSON into user journey as [id_token_hint](id-token-hint.md)| NA | GA ||
63
+
|[Pass identity provider token to the application](idp-pass-through-user-flow.md)| Preview| Preview| For example, from Facebook to app. |
64
+
65
+
## SAML2 application authentication flows
66
+
67
+
The following table summarizes the Security Assertion Markup Language (SAML) application authentication flows that can be integrated with Azure AD B2C.
68
+
69
+
|Feature |User flow |Custom policy |Notes |
70
+
|---------|:---------:|:---------:|---------|
71
+
[SP initiated](saml-service-provider.md) | NA | GA | POST and Redirect bindings. |
72
+
[IDP initiated](saml-service-provider-options.md#identity-provider-initiated-flow) | NA | GA | Where the initiating identity provider is Azure AD B2C. |
38
73
39
74
## User experience customization
40
75
@@ -50,18 +85,6 @@ Azure Active Directory B2C [user flows and custom policies](user-flow-overview.m
50
85
|[Disable email verification](disable-email-verification.md)| GA| GA| Not recommended for production environments. Disabling email verification in the sign-up process may lead to spam. |
51
86
52
87
53
-
## Protocols and authorization flows
54
-
55
-
|Feature |User flow |Custom policy |Notes |
56
-
|---------|:---------:|:---------:|---------|
57
-
|[OAuth2 authorization code](authorization-code-flow.md)| GA | GA |
58
-
|[OAuth2 authorization code with PKCE](authorization-code-flow.md)| GA | GA | Public clients and single-page applications. |
59
-
|[OAuth2 implicit flow](implicit-flow-single-page-application.md)| GA | GA ||
Copy file name to clipboardExpand all lines: articles/active-directory/enterprise-users/users-restrict-guest-permissions.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,7 +29,7 @@ When guest access is restricted, guests can view only their own user profile. Pe
29
29
30
30
## Permissions and licenses
31
31
32
-
You must be in the Global Administrator role to configure the external collaboration settings. There are no additional licensing requirements to restrict guest access.
32
+
You must be in the Global Administrator or Privileged Role Administrator role to configure guest user access. There are no additional licensing requirements to restrict guest access.
Copy file name to clipboardExpand all lines: articles/active-directory/external-identities/b2b-fundamentals.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,7 +26,7 @@ This article contains recommendations and best practices for business-to-busines
26
26
## B2B recommendations
27
27
| Recommendation | Comments |
28
28
| --- | --- |
29
-
| For an optimal sign-in experience, federate with identity providers | Whenever possible, federate directly with identity providers to allow invited users to sign in to your shared apps and resources without having to create Microsoft Accounts (MSAs) or Azure AD accounts. You can use the [Google federation feature](google-federation.md) to allow B2B guest users to sign in with their Google accounts. Or, you can use the [Direct federation (preview) feature](direct-federation.md) to set up direct federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. |
29
+
| For an optimal sign-in experience, federate with identity providers | Whenever possible, federate directly with identity providers to allow invited users to sign in to your shared apps and resources without having to create Microsoft Accounts (MSAs) or Azure AD accounts. You can use the [Google federation feature](google-federation.md) to allow B2B guest users to sign in with their Google accounts. Or, you can use the [SAML/WS-Fed federation (preview) feature](direct-federation.md) to set up federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. |
30
30
| Use the Email one-time passcode feature for B2B guests who can’t authenticate by other means | The [Email one-time passcode](one-time-passcode.md) feature authenticates B2B guest users when they can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in. |
31
31
| Add company branding to your sign-in page | You can customize your sign-in page so it's more intuitive for your B2B guest users. See how to [add company branding to sign in and Access Panel pages](../fundamentals/customize-branding.md). |
32
32
| Add your privacy statement to the B2B guest user redemption experience | You can add the URL of your organization's privacy statement to the first time invitation redemption process so that an invited user must consent to your privacy terms to continue. See [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/active-directory-properties-area.md). |
Copy file name to clipboardExpand all lines: articles/active-directory/external-identities/compare-with-b2c.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,7 +37,7 @@ The following table gives a detailed comparison of the scenarios you can enable
37
37
| ---- | --- | --- |
38
38
|**Primary scenario**| Collaboration using Microsoft applications (Microsoft 365, Teams, etc.) or your own applications (SaaS apps, custom-developed apps, etc.). | Identity and access management for modern SaaS or custom-developed applications (not first-party Microsoft apps). |
39
39
|**Intended for**| Collaborating with business partners from external organizations like suppliers, partners, vendors. Users appear as guest users in your directory. These users may or may not have managed IT. | Customers of your product. These users are managed in a separate Azure AD directory. |
40
-
|**Identity providers supported**| External users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers, Gmail, and Facebook. | Consumer users with local application accounts (any email address or user name), various supported social identities, and users with corporate and government-issued identities via direct federation. |
40
+
|**Identity providers supported**| External users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers, Gmail, and Facebook. | Consumer users with local application accounts (any email address or user name), various supported social identities, and users with corporate and government-issued identities via SAML/WS-Fed identity provider federation. |
41
41
|**External user management**| External users are managed in the same directory as employees, but are typically annotated as guest users. Guest users can be managed the same way as employees, added to the same groups, and so on. | External users are managed in the Azure AD B2C directory. They're managed separately from the organization's employee and partner directory (if any). |
42
42
|**Single sign-on (SSO)**| SSO to all Azure AD-connected apps is supported. For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday. | SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported. |
43
43
|**Security policy and compliance**| Managed by the host/inviting organization (for example, with [Conditional Access policies](conditional-access.md)). | Managed by the organization via Conditional Access and Identity Protection. |
0 commit comments