B2C Tenant Registry¶
PRO Feature
B2C Tenant Registry requires a PRO tier license.
Monitor credential expiry in your Azure AD B2C tenants to prevent authentication failures in customer-facing applications.
Overview¶
The B2C Tenant Registry allows CertifyClouds to scan your Azure AD B2C tenants and discover:
- All App Registrations in the B2C tenant
- Secrets and certificates with expiry dates
- Credentials that are expired or expiring soon
B2C vs SSO
This feature is separate from SSO Setup. SSO is for authenticating users to CertifyClouds. B2C Registry is for scanning your B2C tenants.
Understanding B2C vs Regular Azure AD¶
| Aspect | Azure AD (Entra ID) | Azure AD B2C |
|---|---|---|
| Purpose | Employee/internal identity | Customer/consumer identity |
| Users | Your organization's employees | External customers |
| Common Use | Microsoft 365, internal apps | Consumer-facing apps, e-commerce |
| Key Vaults | Yes | No - B2C tenants are identity-only |
| App Registrations | Yes | Yes - for customer-facing apps |
CertifyClouds B2C Tenant Registry scans the App Registrations in your B2C tenant to monitor credential expiry for your customer-facing applications.
Prerequisites¶
Before configuring B2C Tenant Registry:
- PRO tier license
- Azure AD B2C tenant to monitor
- Admin access to create service principal
- Microsoft Graph permissions - Ability to grant admin consent
Required Information¶
| Item | Description | Example |
|---|---|---|
| B2C Tenant ID | GUID of your B2C tenant | 12345678-abcd-1234-... |
| B2C Tenant Domain | Primary domain | yourcompany.onmicrosoft.com |
| Service Principal Client ID | App registration for scanning | abcd1234-... |
| Service Principal Secret | Client secret | secret_... |
Setup Steps¶
Step 1: Access Your B2C Tenant¶
- Go to Azure Portal (portal.azure.com)
- Click your profile icon → Switch directory
- Select your Azure AD B2C tenant
- Verify you see "Azure AD B2C" in the top-left
Step 2: Create Service Principal¶
- Navigate to Azure AD B2C → App registrations
- Click + New registration
- Configure:
| Field | Value |
|---|---|
| Name | CertifyClouds-B2C-Scanner |
| Supported account types | Accounts in this organizational directory only |
| Redirect URI | Leave blank |
- Click Register
- Copy the Application (client) ID
Step 3: Create Client Secret¶
- Go to Certificates & secrets
- Click + New client secret
- Configure:
| Field | Value |
|---|---|
| Description | CertifyClouds B2C Access |
| Expires | 24 months |
- Click Add
- Copy the secret Value immediately
Step 4: Grant API Permissions¶
- Go to API permissions
- Click + Add a permission
- Select Microsoft Graph → Application permissions
- Add permissions:
| Permission | Purpose |
|---|---|
Application.Read.All | Read app registrations (discovery only) |
Organization.Read.All | Read tenant info |
Application.ReadWrite.All | Modify registrations (for rotation) |
!!! tip "Least Privilege" For discovery-only, Application.Read.All is sufficient. Add ReadWrite.All only if you want CertifyClouds to rotate B2C credentials.
- Click Grant admin consent for [Your B2C Tenant]
- Verify green checkmarks appear
CertifyClouds Configuration¶
Step 1: Add B2C Tenant¶
- Go to Settings → B2C Tenant Registry
- Click Add B2C Tenant
Step 2: Enter Details¶
| Field | Description |
|---|---|
| Tenant ID | Your B2C tenant's GUID |
| Tenant Domain | e.g., yourcompany.onmicrosoft.com |
| Display Name | Friendly name (e.g., "Production B2C") |
| Environment | Development, Staging, or Production |
| Client ID | Service principal application ID |
| Client Secret | Service principal secret |
Step 3: Configure Discovery¶
| Option | Description | Recommended |
|---|---|---|
| Auto-discover | Scan automatically | Enabled |
| Discovery interval | Scan frequency | 24 hours |
Step 4: Test and Register¶
- Click Test Connection
- Expected: "Connection successful - Found organization: [Tenant Name]"
- Click Register Tenant
Step 5: Run Discovery¶
- Click Discover on your tenant
- View discovered credentials in the expanded view
What Gets Discovered¶
For each App Registration in your B2C tenant:
| Item | Details |
|---|---|
| App Name | Display name |
| Client ID | Application ID |
| Secrets | Password credentials with expiry |
| Certificates | Key credentials with expiry |
| Expiry Status | Expired, Expiring Soon (≤30 days), Valid |
Configuring Alerts¶
Set up notifications for B2C credential expiry:
- Go to Settings → Alerts
- Create rule for "B2C Credential Expiry"
- Configure thresholds:
| Severity | Threshold |
|---|---|
| Critical | ≤7 days |
| Warning | ≤30 days |
| Expired | Already expired |
- Configure notification channels
Troubleshooting¶
Common Issues¶
| Issue | Cause | Solution |
|---|---|---|
| "Connection failed" | Invalid credentials | Verify Client ID and Secret |
| "Access denied" | Missing permissions | Ensure permissions are granted |
| "Admin consent required" | Consent not granted | Grant admin consent in Azure |
| "Tenant not found" | Wrong tenant ID | Use B2C tenant ID (not regular AD) |
| "No apps discovered" | Empty tenant | Verify B2C has app registrations |
Verify Permissions¶
# Test Graph API access
az login --tenant YOUR_B2C_TENANT_ID
az ad app list --query "[].{name:displayName, appId:appId}" -o table
Security Best Practices¶
- Least privilege - Use
Application.Read.Allfor discovery-only - Rotate secrets - Renew scanner service principal secret before expiry
- Monitor access - Review Azure AD sign-in logs
- Separate environments - Use different scanner apps per environment