I'm developing system where any user can login through Microsoft Azure SSO.
I have done following
Create B2C tenant (Initially tried B2B)
Create enterprise application
Set "AzureADandPersonalMicrosoftAccount" for "signInAudience"
Setup SSO with SAML using "https://simplesamlphp.org/"
Now everything is working fine for my account. But if I trying with other personal user (which I haven't added as guest user in my tenant), then it returns error
User account 'user#domain.com' from identity provider 'live.com' does not exist in tenant 'xxxx'
and cannot access the application in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
I want any personal Microsoft user can login through SSO (without adding it as guest user in tenant).
Thanks in advance!
I tried to reproduce the same in my environment and got the below results:
Please note that, if you are creating Enterprise Application in Azure AD b2c Tenant it will be authenticated via Azure Active Directory only not Azure AD b2c.
When I tried to login through Personal Account, I got the same error as below:
As Enterprise Applications authenticate via Azure AD, it is not
possible to authenticate users with personal Microsoft accounts
without adding them as Guest Users.
The only approach is that you add them as Guest users and login to SAML SSO without invitation.
Go to Azure Portal -> External Identities -> External collaboration settings -> Enable guest self-service sign up via user flows
On the left blade, Click on User flows -> New User Flow,
Once the user flow gets created successfully, click on the user flow, select applications and add your application like below:
And try signing to your application with Microsoft Personal Account.
Related
We have an existing Azure subscription where we run our processing infrastructure. We are setting up a new app to run in the same space, but with a Azure Active Directory B2C. We have the setup working and can create new customer users that can sign in.
We have been unable to determine how to have our own users in the existing company subscription sign in to the new app (powered by the AD B2C) with the same user/email/password.
We think the answer lies somewhere between single sign on and proxy user principal names?
We should also point out that when setting up the AD B2C, an administrator user was set up for the person that set it up. Their account has an issuer of ExternalAzureAD and their user principal name is pretty much their email as a suffix on the active directory domain. Although this user is "linked" (?) to the original user in our original AD, it has a different password, etc. So also not quite what we are looking for. Ideally this user would sign into the B2C with their actual email and password (the same one used in the non B2C original AD).
I tried to reproduce the same in my environment like below:
To allow the users to login with Azure AD credentials, make sure to register the Azure AD B2C application by selecting Accounts in any organizational directory (Any Azure AD directory - Multitenant)
To sign-in to the Azure AD B2C application, try using below authorize and token endpoints accordingly:
Note that, organizations endpoint will allow tenant-level login.
I created an Azure AD user like below:
When I tried to login to the Azure AD B2C Application through Azure AD user credentials, I am able to login successfully.
And the decoded access token contains Azure AD user information like below:
I am trying to setup Azure AD integration with our partner identities. I have few providers that I need to support and they support SAML and WS-Fed. I am trying to use Azure AD External Identities to add these providers to my Azure AD tenant.
However, reading through this article, it seems like SAML integrations are invitation based.
I want users to be able to login without an invitation. How can I do this with Azure AD?
Here are my needs:
After adding the external idp, users should be able to login using their own credentails via their idp. No additional information needed to use an app.
I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Choose what idp's are allowed per app? (if possible)
Thanks in advance.
Question 1: After adding the external idp, users should be able to login using their own credentials via their idp. No additional information needed to use an app.
Answer:
We can implement Guest users redemption using direct link or a common endpoint instead of email invitation. A guest user clicks the app link, reviews and accepts the privacy terms, and then seamlessly accesses the app.
Using Common endpoint : Guest users can now sign in to your multi-tenant or Microsoft first-party apps through a common endpoint (URL), for example https://myapps.microsoft.com. Previously, a common URL would redirect a guest user to their home tenant instead of your resource tenant for authentication, so a tenant-specific link was required (for example https://myapps.microsoft.com/?tenantid=). Now the guest user can go to the application's common URL, choose Sign-in options, and then select Sign in to an organization. The user then types the name of your organization.
Using Direct Link: As an alternative to the invitation email or an application's common URL, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the Azure Portal or Powershell Then you can use any of the customizable ways to deploy applications to users, including direct sign-on links. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.
Reference:
Add B2B guests without an invitation link or email - Azure AD
Invitation redemption in B2B collaboration - Azure AD
Question 2 : I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Answer: Add the Users as Guest to Azure active Directory but by default they will be sent an invitation even if they don’t open it you can assign an app in your enterprise application for them to use .
Most federated applications that support SAML 2.0, WS-Federation, or OpenID connect also support the ability for users to start at the application, and then get signed in through Azure AD either by automatic redirection or by clicking on a link to sign in. This is known as service provider-initiated sign-on, and most federated applications in the Azure AD application gallery
Reference:
End-user experiences for applications - Azure Active Directory
Quickstart: Add guest users in the Azure portal - Azure AD
To Provide the Guest user access to azure resources you can manually add a role to the users.
Question 3: Choose what idp's are allowed per app?
Answer: Create different user flows and add desired IDPs to the user flows and then assign applications registered in Azure AD to the user flows depending on which IDPs are needed for given application.
Reference:
Add a self-service sign-up user flow - Azure AD
Question 4: I added Okta as an External Identity using SAML in my Azure AD. Created an "App Registration" as multi-tenant. But I am getting this error.
AADSTS50020: User account 'xxx' from identity provider 'http://www.okta.com/xxxxx' does not exist in tenant '' and cannot access the application '0000000c-0000-0000-c000-000000000000'(Microsoft App Access Panel) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Solution: Please Ensure User is added to one of the Partner Admin Groups i.e. AdminAgents in the Partner tenant.
Reference:
Manage Auth access for cloud solution providers.
Question 5: Steps for setting self service signup for an application.
Test Scenario in my Lab
Azure AD with an application registered in application registrations blade.
Another AD tenant with users.
Step 1: In the above external identities collaboration settings please make sure to have enable guest user self service enabled.
If it is not enabled then you can’t create a self service flow and you will get the below error when a user from other tenant is trying to access the app.
Step 2: Create a user flow by going to the user flow blade and creating a new flow.
Step 3: After you have created the user flow , click on the User flow and go to application blade and click add application.
Now search for the application you want to provide the self service signup to and click on select and you will have now enable the self service sign up for users when they try to access your application.
Output:
Once the above settings are done you can access the url to your app. Provide the user of the different ad tenant and you will get output as below .Click on create a new one .
Once the user from other AD tenant have accepted it they are successfully registered as guest users in your tenant.
If they accept the above then they will be able to access the app from now as a guest.
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
I'm trying to use Azure B2C to authenticate my web app.
I've set it up as multi-tenant - but when someone tries to log in from their work account (johnsmith#anothercompany.com) then the login shows this error:
AADSTS50020: User account 'johnsmith#anothercompany.com' from identity provider 'https://sts.windows.net/xxxx/' does not exist in tenant 'MyTenant' and cannot access the application 'yyy'(My Tool) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
... if I add johnsmith#anothercompany.com as a guest user in my B2C Tenant, then this works - John can log in.
Is there a way to enable my application to not require me to add "guest accounts", and just authenticate against any AAD tenant? (leaving authorization up to my app)
You should configure multi-tenant based on this document: Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C
You can set multiple AAD as identity providers by following this part.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
This allows you directly to sign in with the account of tenant 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111.
I have a requirement where we want the users to use their social accounts to login into our application (i.e. get an ID Token) through Azure B2C. I configured the Identity Provider and create a user flow for Sign in only. We don't want Users to Sign Up because that through Invitation only. When I use the "Invite User" to the live.com account and the user accepts the invitation and tries to login into the application, I get the below error.
AADB2C99002 User does not exist. Please sign up before you can sign in.
But the user is existing as a Guest User.
When I allow Sign up and the user actually does the Sign-up and then login in, it works.
Questions:
Why isn't the Guest User allowed to access the application? What needs to be done for the same to work?
If it's not possible, I don't want the user to be a "member" to avoid maintaining their credentials. I want the users to use their social accounts only.
As I don't have the requirement of self sign-up and the only invitation-based, how do I achieve my requirement?
Thanks,
Neel
Please see the Overview of user accounts in Azure Active Directory B2C.
Guest account - A guest account can only be a Microsoft account or an Azure Active Directory user that can be used to access applications
or manage tenants.
Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts
can be created by:
The user going through a sign-up user flow in an Azure AD B2C application
Using Microsoft Graph API
Using the Azure portal
Guest account is specifically distinguished from Consumer account. So Guest user can't sign into B2C application directly.
Your three questions are actually the same question: How to log in a social account without managing its credentials?
Please refer to Add an identity provider to your Azure Active Directory B2C tenant.
In order to let live.com account sign in, you need to Set up sign-in with a Microsoft account using Azure Active Directory B2C. Choose the policy type (User flow or Custom policy) you want to find the corresponding steps.
If you need your customers from other social idps such as Facebook, Google and so on, you can find the corresponding article on the left.