We have an existing Azure subscription where we run our processing infrastructure. We are setting up a new app to run in the same space, but with a Azure Active Directory B2C. We have the setup working and can create new customer users that can sign in.
We have been unable to determine how to have our own users in the existing company subscription sign in to the new app (powered by the AD B2C) with the same user/email/password.
We think the answer lies somewhere between single sign on and proxy user principal names?
We should also point out that when setting up the AD B2C, an administrator user was set up for the person that set it up. Their account has an issuer of ExternalAzureAD and their user principal name is pretty much their email as a suffix on the active directory domain. Although this user is "linked" (?) to the original user in our original AD, it has a different password, etc. So also not quite what we are looking for. Ideally this user would sign into the B2C with their actual email and password (the same one used in the non B2C original AD).
I tried to reproduce the same in my environment like below:
To allow the users to login with Azure AD credentials, make sure to register the Azure AD B2C application by selecting Accounts in any organizational directory (Any Azure AD directory - Multitenant)
To sign-in to the Azure AD B2C application, try using below authorize and token endpoints accordingly:
Note that, organizations endpoint will allow tenant-level login.
I created an Azure AD user like below:
When I tried to login to the Azure AD B2C Application through Azure AD user credentials, I am able to login successfully.
And the decoded access token contains Azure AD user information like below:
Related
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
I'm trying to use Azure B2C to authenticate my web app.
I've set it up as multi-tenant - but when someone tries to log in from their work account (johnsmith#anothercompany.com) then the login shows this error:
AADSTS50020: User account 'johnsmith#anothercompany.com' from identity provider 'https://sts.windows.net/xxxx/' does not exist in tenant 'MyTenant' and cannot access the application 'yyy'(My Tool) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
... if I add johnsmith#anothercompany.com as a guest user in my B2C Tenant, then this works - John can log in.
Is there a way to enable my application to not require me to add "guest accounts", and just authenticate against any AAD tenant? (leaving authorization up to my app)
You should configure multi-tenant based on this document: Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C
You can set multiple AAD as identity providers by following this part.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
This allows you directly to sign in with the account of tenant 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111.
I have followed this tutorial I want to use this in my signup user flow.
I created OpenID Connect Identity Provider pointing to the app created in the Azure B2C, and I also created another one pointing to the app created in my normal Azure tenant, and in both cases, when I log in I get the error:
AADSTS50020: User account '{<!-- -->{ACCOUNT}}' from identity provider 'https://sts.windows.net/{<;!-- -->{TENANT_ID}}/' does not exist in tenant 'ADefWebserver' and cannot access the application '{<!-- -->{my Azure B2C Tenant id}}'(Blazor Simple Survey AAD) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Is there documentation that tells what you are supposed to do to fully make this work?
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization.
You can add your user account to your tenant 'ADefWebserver' based on the following document.Please follow this document.
Based on this question, I need to implement a user flow that enables users to sign up to my Azure AD and then sign in to the Azure Portal to manage everything.
So far I added a user flow with which one can create an account with email, user name and other attributes. While they can use the credential to login to my web app, I'm not sure how do they login to the portal.
It looks like:
Azure AD tenant domain: foo.net
Email of the user: brah#hoge.com
User name: brah
Display name: fuga
Password: piyo
When going to https://portal.azure.com/ and input brah#foo.net in "email", the dialog prompts to input the password. However piyo is declined and he cannot login to the portal.
Also, even he signs in to the portal by using brah#hoge.com (his own azure account), he cannot switch the directory to foo.net.
Besides manually creating a user in Azure AD Blade in the portal, how do I let them to create their account to login to the directory?
To access the Azure portal for managing subscriptions and resources that are linked to an Azure AD tenant, then users must be added as members or guests to this Azure AD tenant.
Users can't be added as consumers to the Azure AD tenant.
You might want to consider either inviting the external users as guests to your Azure AD tenant or providing an online service for the external users to be added as guests to your Azure AD tenant.
I created an Azure AD B2C tenant, added applications to it and configured Postman according to this article:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-2.2
My problem is I can't log in with user accounts which I added to my tenant.
I created two users the user type of them is member ansd source is Azure Active Directory.
But when I try to log in I get back the following error message:
"Invalid username or password."
What should I set up yet?
The users created through the portal cannot be used by Azure AD B2C. Azure AD B2C uses the 'signin names' property of the user to sign in. The users created through the portal can be used for sign in using AAD (enterprise scenario).
As Chris mentioned, one needs to use a Signup policy or Azure AD Graph flow to create a user for b2c to be able to sign in.
Please see this answer
Adding users to Azure B2C without using a sign-up policy