I am attempting to access aB2C tenant however my phone had a meltdown a few months ago and I lost the MS Authenticator account. How can I reset the tenant to enable MFA access again?
If you have a rest API service configured with admin privileges, generate a new admin account to create a backdoor to login to your tenant
Most B2C tenants are created with a corp account (O365), contact your IT to reset your phone MFA options - this is only applicable if the MFA is being applied from the resource tenant and not the B2C tenant
If you used a personal Microsoft Account and the MFA is applied to this account, contact Microsoft support: https://answers.microsoft.com/en-us/xbox/forum/all/account-recovery-lost-pw-and-mfa/558766e2-b8a9-48aa-b0af-af9016972ed0
Related
I'm trying to use Azure B2C to authenticate my web app.
I've set it up as multi-tenant - but when someone tries to log in from their work account (johnsmith#anothercompany.com) then the login shows this error:
AADSTS50020: User account 'johnsmith#anothercompany.com' from identity provider 'https://sts.windows.net/xxxx/' does not exist in tenant 'MyTenant' and cannot access the application 'yyy'(My Tool) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
... if I add johnsmith#anothercompany.com as a guest user in my B2C Tenant, then this works - John can log in.
Is there a way to enable my application to not require me to add "guest accounts", and just authenticate against any AAD tenant? (leaving authorization up to my app)
You should configure multi-tenant based on this document: Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C
You can set multiple AAD as identity providers by following this part.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
This allows you directly to sign in with the account of tenant 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111.
I have a AD B2C multi tenant application
I have custom policy which have filtering on my tenant (Microsoft article)
Now on this tenant I invite new users from other tenants (I got "userEmail_contoso.com#EXT##mytenant.onmicrosoft.com)
Why I can't to sign in with external user? It's possible to filtering the tenant but allow external users from same tenant to sign in?
2.
3.
Please see METADATA in the document you shared:
<Item Key="METADATA">https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration</Item>
We can see that it is using common endpoint. common endpoint means users with both a personal Microsoft account and a work or school account from Azure AD can sign in to the application. See reference here.
So although the personal Microsoft account is added into your tenant as a guest user now, it is treated as a personal account when it meets common endpoint. As a result, it is blocked from logging in.
In short, B2C multi-tenancy does not support guest user login.
In order to sign in as a guest user from your tenant, you should look into Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C. You can see that the METADATA is https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration in this document, which should treat your account as guest user.
Can an invited guest user in Azure AD B2C signin using this Azure AD B2C and access a registered application?
What is the password in this case?
Invited guests are for admin purposes i.e. administer the B2C tenant.
Typically they would be e.g. in another Azure tenant and hence would use the password in that tenant.
Only local users i.e. users created via B2C SUSI policies can access applications.
The sample web application is using Azure AD B2C for identity and authentication. Azure AD B2C has been configured with Microsoft as an identity provider. Azure AD B2C will login a user with a personal Microsoft account, but not an Office 365 account with a custom domain name. This is also the email address for the Azure admin, and is even the only user under Home > Azure AD B2C > Users - All users. The email address was under Users by default when the Azure AD B2C resource was created.
Why can't this email address be used to login?
To answer your first question, why can't O365 users login, it's because configuring "Microsoft authentication" only allows personal MS accounts.
To allow O365, you'd need to configure B2C to allow login via Azure AD.
As for why your admin user can't login, it's because there are different types of users in B2C.
Your admin is not a B2C user, and thus cannot login as a local user.
It's confusing since the Users tab shows them all together :/
I added to my Azure AD B2C option to log in by an external provider - Azure AD from my other tenant. Now I try to sign in by following accounts:
What is extremely strange, that I can sign in by external account but with 'normal' account I get:
User account 'rmaziarka#radekmaziarka.onmicrosoft.com' from identity provider 'https://sts.windows.net/****/' does not exist in tenant 'Guests users' and cannot access the application '2e7e5a25-1755-43f6-be9b-76203b654abe'(Auth0) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Why is that? Why I can sign in by invited one, but I cannot by a normal user? I have a tenant with 400 employees. Should I create another tenant and invite all users there?
If you add A tenant as an external provider, the users from A tenant will be able to login. The users from your B2C tenant is recognized as local users, so you need to add Local Account to the identity provider.
Login in your external ad users with social account and login in your b2c tenant users with local account.