Impersonation from Azure AD to Azure B2C

Question

We are working on a web application that requires two different types of users:

• Administrators (mapped to Azure AD, SSO);
• Customers (mapped to Azure AD B2C);

Customers log into the web application using their Azure AD B2C account. Administrators log into an administration UI area of the website using their Azure AD account. This part is fine.

However, one of the requirements is that the Administrators are able to impersonate the Customer, so that they can carry out certain tasks on-behalf of the customer eg place an order.

We'll be using OAuth (.NET package) for the authorisation. My question is two fold really:

1) Does OAuth support impersonation of other accounts?

2) If yes, is it even possible for an account in Azure AD to impersonate a user in Azure AD B2C - currently they are different directories with no visibility of one another.

Perhaps my questions are a little vague, we're looking for some pointers in the right direction.

Many thanks in advance

dotdev

Answer 1

You can build a flow which authenticates the Admin via the federated IdP (AAD), then presents them a B2C page which allows them to impersonate a B2C user: https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation . The policy should do some checks to make sure the AAD user is in some group who can impersonate, then present them a screen in B2C to provide the end users email. B2C will then finish the authentication by minting a token that is in the B2C users context.

Answer 2

Azure AD (regular/B2C) does not allow you to impersonate other users. You can't really login as the user.

You will most likely have to build this functionality into your application, where the admin is allowed to choose a customer on whose behalf they are making the order.