可以和不能使用 B2C 进行身份验证的已注册应用程序之间的区别是什么？

Question

Some of the applications registered in my Azure AD B2C directory display this message on their overview page:

You can use this application to authenticate against Azure Active Directory, but not Azure AD B2C

Many others do not.

Since my code will rely on B2C authentication using client ID's from these registrations I need to know whether I can "fix" these application registrations or whether I need to create new ones.

What's the difference between these applications? Is it the way in which they were created, or is it setting(s) that can be adjusted to permit B2C authentication?

Clicking on the message itself only links to the Azure B2C overview page , which is not very specific help.

To test the concept, I'm using msal 1.1.3 and a simple client side configuration. But as this message appears on the azure portal dashboard I don't think that's at issue:

const msalConfig = {
    auth: {
      clientId: `${MyClientId}`,
      authority: `${MyAuthorityURL}`,
      redirectURI: `${MyRedirect}`
    },
    cache: {
      cacheLocation: "localStorage",
      storeAuthStateInCookie: true
    }
  };

  const msalApplication = new Msal.UserAgentApplication(msalConfig);

Answer 1

B2C does not support Daemons/server-side applications, Web API chains (on-behalf-of flow), or faulted apps ( ie apps edited on other application portals such as the application registration portal; apps edited via Graph API; or apps edited via Powershell ). Was the app ever edited in one of these places? If that is the case you will need to delete and recreate the application. This document describes the kinds of apps supported and not supported within B2C.

Also, of course make sure that the application is registered in b2c and not just in the regular AAD. https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=applications

Since the message in the screenshot does not appear to be documented I have reached out to the product team to ask for a more detailed explanation of that message and its context. I will update this thread as soon as I have that.

Answer 2

Since my code will rely on B2C authentication using client ID's from these registrations I need to know whether I can "fix" these application registrations or whether I need to create new ones.

You need to create new applications under Azure AD B2C.

If you created the application under Azure Active Directory and open it under Azure AD B2C, you will see that warning.

What's the difference between these applications? Is it the way in which they were created, or is it setting(s) that can be adjusted to permit B2C authentication?

One is used for Azure AD, and the other one is used for Azure AD B2C. Yes, it is in the way they were created.

Answer 3

I have answered this question here - microsoft graph rest api beta: application created by api in azure ad b2c is not valid

For an application to successfully work in AAD B2C(get a token), it has following requirements

1. It needs to have a service principal

2. Consent to openid and offline_access scope on Microsoft Graph service principal in the tenant

   Azure Active Directory does not have these requirements but Azure Active Directory B2C does.

The reason is that consent experience cannot be shown to the enduser in Azure Active Directory B2C while in Azure Active Directory, it is shown to the user.