I want to invite users to my page, but I want them to be able to login with SSO (when invited as guests), or to login with an email and password.
Is there a way to find out programmatically, if I should invite the user as a guest user, or create it as a B2C user who would get an email from where he would go to the password setup/reset "flow"?
I guess I need to check if the email provided is a Microsoft or Azure AD account, or not?
Is something like that possible and if yes, how exactly?
Thanks a lot!
Related
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
I have a requirement where we want the users to use their social accounts to login into our application (i.e. get an ID Token) through Azure B2C. I configured the Identity Provider and create a user flow for Sign in only. We don't want Users to Sign Up because that through Invitation only. When I use the "Invite User" to the live.com account and the user accepts the invitation and tries to login into the application, I get the below error.
AADB2C99002 User does not exist. Please sign up before you can sign in.
But the user is existing as a Guest User.
When I allow Sign up and the user actually does the Sign-up and then login in, it works.
Questions:
Why isn't the Guest User allowed to access the application? What needs to be done for the same to work?
If it's not possible, I don't want the user to be a "member" to avoid maintaining their credentials. I want the users to use their social accounts only.
As I don't have the requirement of self sign-up and the only invitation-based, how do I achieve my requirement?
Thanks,
Neel
Please see the Overview of user accounts in Azure Active Directory B2C.
Guest account - A guest account can only be a Microsoft account or an Azure Active Directory user that can be used to access applications
or manage tenants.
Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts
can be created by:
The user going through a sign-up user flow in an Azure AD B2C application
Using Microsoft Graph API
Using the Azure portal
Guest account is specifically distinguished from Consumer account. So Guest user can't sign into B2C application directly.
Your three questions are actually the same question: How to log in a social account without managing its credentials?
Please refer to Add an identity provider to your Azure Active Directory B2C tenant.
In order to let live.com account sign in, you need to Set up sign-in with a Microsoft account using Azure Active Directory B2C. Choose the policy type (User flow or Custom policy) you want to find the corresponding steps.
If you need your customers from other social idps such as Facebook, Google and so on, you can find the corresponding article on the left.
I am looking for powershell script to create local account users in b2c along with authentication method as email for SSPR. Could some one please advise?
That is not how AAD B2C works (although AAD does). In AAD B2C, the User Flow, or User Journey (Custom Policy), dictate what and how the user will reset the password. The default payload to create a B2C user is sufficient for a user to be compatible with a journey that forces the user to validate their email for password reset.
This is because such a journey simply reads their sign in email address and enforces they verify it.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities
We have a scenario where we need to integrate Azure B2C with one of our existing system, where the email is not a mandatory user field, we have only the mobile number of the user as a mandatory field. I am looking for ways to integrate azure B2C where i can give a username and an initial password for the first time, instead of email. And all the password reset scenarios will have to go through OTP or email, where it will be a users choice to give email to reset the password.
We are able to create the user through Graph API initially, but
stuck with creating a user-flow where it will ask the username and password instead of email and password.
You can choose Username as local account types when configuring identity providers for Azure AD B2C in the Azure portal. In your Azure AD B2C tenant, select Identity providers, select Local account, and then select Username.
Then you need to select Local Account again in your user flow.
I have created an Azure app. After granted by user(once in lifetime
), it fetches the users outlook mailbox data with help of accessToken. The Microsoft account is part of my org which uses SSO. So, if i am pre logged in via SSO in browser, how can I get rid of the un-neccesary login screen, which comes pre-populated with my email id, and I only have to click to choose the user account.
How could i remove that login screen from this flow?
You can specify login_hint=user#domain.com with the username in the authorization URL to tell AAD which account the user could use. If they are already signed-in, it won't prompt the user to select the account.