Given that a Azure AD B2C tenant should only be used for configuring Azure AD B2C, would having programmatic API’s to configure all of the Azure AD B2C settings be useful or is there more that you are looking to achieve using ARM templates?
We definitely recognize the popularity of this feature, and we discuss it constantly during the planning phases. However there are certain technical limitations in the system that add a large amount of development cost. Because of the cost and the fact that there is a workaround available, other features get prioritized over this one.
That being said, please keep voting for it. The popularity of the feature does help bring it up and makes us reconsider every time.
Apologies for the delay.
We’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?Kyle Pope commented
Thanks Lucas Vogel and ricky zou for the example solutions. While I like both solutions, I think the ideal solution is something like ricky's since it returns the groups as part of the token and doesn't put the responsibility to go look them up in each app that uses B2C. That said, it has increased complexity since you'll need to (1) use a custom policy and (2) manage/configure the extra Azure function that must be deployed... I still think it would be a big win if Microsoft would provide an officially documented workaround that does this and makes it easy for people to implement this feature on their own...Kyle Pope commented
It really is a shame that this isn't supported.
Since it's unlikely to be implemented, it might be really useful and much less effort to embrace this limitation and provide an official Microsoft solution that is external to changing the B2C product. I'm thinking something similar to the Git repo Marcel Juhnke provided in a previous comment but more refined, including:
* Implementation of user group retrieval as an Azure function with proper error handling and necessary authentication implemented.
* Detailed documentation on the Microsoft B2C documentation portal about how to configure/install and integrate a custom policy with it.
If this solution existed and it was relatively easy to implement it might go a long way to address this issue.
This is not planned for the next 6 months, but is on the roadmap.
Currently, you can use “App Registration” blade in the Azure Portal (outside of the Azure AD B2C blades) to register an apps that define application permission and the register apps that use client credentials to request these. The caveat is that this is done using the same mechanism that you’d use in regular Azure AD.
Ideally we’d have a first class experience for this in the Azure AD B2C blades or at least have an Azure doc that walks you through the experience I just summarized, so I’m leaving this feature ask open.
It would be great if you guys can add comments with your feedback. What scenarios areyou trying to achieve? Does the approach above help you achieve what you want to achieve? Does the experience to do so work for you guys and if not, what would you like to see?