Recommended way to automate deplyoment of Azure AD B2C instance?

问题

What is the recommended way of automating the configuration of an Azure AD B2C instance, e.g. configuration of policies, application registrations, maybe even creating initial accounts?

• Is it possible to use an ARM Template for it? If so, where can I find a quick-start sample?
• Is it possible to do in a programmatically way, i.e. using PowerShell? If so, where can I find some sample?

Usage scenario: setting up either an ARM Template or Script to deploy (update) to several environments.

Thanks in advance OliverB

回答1:

Is it possible to user an ARM Template? If so, where can I find a quick-start sample? Is it possible to do in a programmatically way, i.e. using PowerShell? If so, where can I find a sample?

Currently, it is not possible to manage B2C policies programmatically. That feature is currently under development.If this is important to you ,you can vote for it in this Feedback Forum so that we can let you know when it is available for preview. The feature request for programmatic registering application is in this Feedback Forum.

Additional, If you want get some samples for Azure B2C cutom Plicies, you can refer these samples.

Hope this helps!

回答2:

Until the ability to do this is implemented, you just need to document the setup process in detail, with step-by-step instructions, and any scripts you can write (such as power-shell scripts for registering an application with the graph-api).

Keep all these files in a separate module or folder in your project and under version control.

Once it can be automated (if ever), these files can be used as the foundation for the requirements of you auto-deployment-and-update module.

回答3:

It is currently not possible to automate creation of AAD B2C tenant. You can follow this tutorial to create a BC tenant:

Tutorial: Create an Azure Active Directory B2C tenant.

Since B2C custom policies went GA, there are some new AAD roles that allow some automation:

If you want to automate upload of custom policies (IEF policy), you can:

1. Create a local user in the B2C Tenant with the B2C IEF Policy Administrator role.

2. create a native app registration

3. Add Required Permissions for the previously created application registration

   Access directory as the signed in user

4. Grant permissions

The Graph API (beta version) provides endpoint to manage custom policies:

trustFrameworkPolicy resource type

Here is the script I am using to upload custom policies (Upload-B2C-CustomPolicies.ps1):

Param(
    [string] [Parameter(Mandatory = $true)] $b2cTenantName
    , [string] [Parameter(Mandatory = $true)] $graphAppId
    , [string] [Parameter(Mandatory = $true)] $userName
    , [string] [Parameter(Mandatory = $true)] $userPassword
    , [string[]] [Parameter(Mandatory = $true)] $filePaths
)

function Get-Accesstoken {
    param (
        [string] [Parameter(Mandatory = $true)] $b2cTenantName
        , [string] [Parameter(Mandatory = $true)] $graphAppId
        , [string] [Parameter(Mandatory = $true)] $userName
        , [string] [Parameter(Mandatory = $true)] $userPassword
    )

    $accessTokenUrl = "https://login.microsoftonline.com/$b2cTenantName.onmicrosoft.com/oauth2/token"

    $body = @{
        grant_type = "password"
        resource   = "https://graph.microsoft.com"
        username   = "$username"
        password   = "$userPassword"
        client_id  = "$graphAppId"
    }

    $response = Invoke-RestMethod `
        -Uri $accessTokenUrl `
        -Method Post `
        -ContentType "application/x-www-form-urlencoded" `
        -Body $body

    return $response.access_token
}

function Set-Policy {
    param (
        [string] [Parameter(Mandatory = $true)] $policyUrl
        , [string] [Parameter(Mandatory = $true)] $accessToken
        , [string] [Parameter(Mandatory = $true)] $xml
    )

    $headers = @{
        "Authorization" = "Bearer $accessToken";
    }

    Invoke-RestMethod `
        -Uri $policyUrl `
        -Method Put `
        -Headers $headers `
        -ContentType "application/xml" `
        -Body $xml
}

Write-Host "Getting access token to call the graph api"
$accessToken = Get-Accesstoken -b2cTenantName $b2cTenantName -graphAppId $graphAppId -userName $userName -userPassword $userPassword

foreach ($filePath in $filePaths) {    
    try {
        Write-Host "`nGetting file content from file path: $filePath"
        $xml = Get-Content $filePath | Out-String
        [xml]$xmlDoc = $xml
    }
    catch {
        Write-Host "##vso[task.logissue type=error;]$filePath is an invalid xml file."
        return
    }

    $policyId = $xmlDoc.TrustFrameworkPolicy.PolicyId
    $policyUrl = "https://graph.microsoft.com/beta/trustframework/policies/$policyId/`$value"

    Write-Host "Uploading policy with id: $policyId"
    Set-Policy -policyUrl $policyUrl -accessToken $accessToken -xml $xml
}

I execute the script like this:

.\Upload-B2C-CustomPolicies.ps1 `
  -b2cTenantName "my b2c tenant name" `
  -graphAppId "app id of the previously created app registration" `
  -userName "b2c local username with IEF policy admin role" `
  -userPassword "b2c local user password with IEF policy admin role" `
  -filePaths "full path of the TrustFrameworkBase.xml file", "full path of the TrustFrameworkExtension.xml file", "full path of the SignUpSingIn.xml file"

回答4:

You can now use Microsoft Graph apis to manage custom policies and policy keys. Please find the documentation for custom policies api here and for policy keys here. You can find samples here .

Azure AD B2C supports PowerShell cmdlets for custom policies as of today.

Azure AD Preview module documentation

See medium blog

来源：https://stackoverflow.com/questions/46813332/recommended-way-to-automate-deplyoment-of-azure-ad-b2c-instance