I have a AD B2C multi tenant application
I have custom policy which have filtering on my tenant (Microsoft article)
Now on this tenant I invite new users from other tenants (I got "userEmail_contoso.com#EXT##mytenant.onmicrosoft.com)
Why I can't to sign in with external user? It's possible to filtering the tenant but allow external users from same tenant to sign in?
2.
3.
Please see METADATA in the document you shared:
<Item Key="METADATA">https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration</Item>
We can see that it is using common endpoint. common endpoint means users with both a personal Microsoft account and a work or school account from Azure AD can sign in to the application. See reference here.
So although the personal Microsoft account is added into your tenant as a guest user now, it is treated as a personal account when it meets common endpoint. As a result, it is blocked from logging in.
In short, B2C multi-tenancy does not support guest user login.
In order to sign in as a guest user from your tenant, you should look into Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C. You can see that the METADATA is https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration in this document, which should treat your account as guest user.
Related
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
I have a requirement where we want the users to use their social accounts to login into our application (i.e. get an ID Token) through Azure B2C. I configured the Identity Provider and create a user flow for Sign in only. We don't want Users to Sign Up because that through Invitation only. When I use the "Invite User" to the live.com account and the user accepts the invitation and tries to login into the application, I get the below error.
AADB2C99002 User does not exist. Please sign up before you can sign in.
But the user is existing as a Guest User.
When I allow Sign up and the user actually does the Sign-up and then login in, it works.
Questions:
Why isn't the Guest User allowed to access the application? What needs to be done for the same to work?
If it's not possible, I don't want the user to be a "member" to avoid maintaining their credentials. I want the users to use their social accounts only.
As I don't have the requirement of self sign-up and the only invitation-based, how do I achieve my requirement?
Thanks,
Neel
Please see the Overview of user accounts in Azure Active Directory B2C.
Guest account - A guest account can only be a Microsoft account or an Azure Active Directory user that can be used to access applications
or manage tenants.
Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts
can be created by:
The user going through a sign-up user flow in an Azure AD B2C application
Using Microsoft Graph API
Using the Azure portal
Guest account is specifically distinguished from Consumer account. So Guest user can't sign into B2C application directly.
Your three questions are actually the same question: How to log in a social account without managing its credentials?
Please refer to Add an identity provider to your Azure Active Directory B2C tenant.
In order to let live.com account sign in, you need to Set up sign-in with a Microsoft account using Azure Active Directory B2C. Choose the policy type (User flow or Custom policy) you want to find the corresponding steps.
If you need your customers from other social idps such as Facebook, Google and so on, you can find the corresponding article on the left.
I have set up an Azure B2C tenant using this tutorial.
This creates a new AD for B2C that is separate to our company AAD (If I try to add B2C on the companys' main Azure AD, it states it is 'not a B2C tenancy', so I went with the tutorial and created a new B2C Tenancy).
When I (the creator of the B2C tenant) log in, I can access the company AAD and the B2C Tenant (details obfuscated). My standard Office365 shows both.
However, other developers in the team can't see the B2C Tenant.
I want them to be able to access it via their Office365 credentials.
Looking online, I found this and this, but they both seem to be about logging people from your company AAD into your app, rather than inviting other devs as administrators. I tried the former to get a developers records in the User table, but after giving them rights, they still cannot see the B2C Tenant.
I then tried to Add A Connected Organisation, but I still can't access people from the main tenant to give them access.
The Invite users from the Portal doesn't seem to offer the choice of a Microsoft Login. If I try 'Create User', the domain doesn't show and 'Invite User' seems to make them Guests with non-work logins.
I don't want to set the devs up with 'non-work' logins, as that seems a bit messy.
How do I add other developers from the company AAD to my B2C Tenant using their work credentials (Office365/Azure AD) so they too can also administer the application?
You Need to choose the Guest User and choose Invite User and after providing the User information assign the role as Application administrator or Global Administarator. Once you invite the user will recive a invitation to access the B2C tenant. They can Access the B2C Tenant with there own credentials.
Is it possible to configure single sign on to work with for both AzureB2C and B2B tenant?
I know it can be configured for AzureAD B2C and definitely it works for AzureB2B.
Is there a way a user in my B2C tenant perform single sign on also to application in my B2B tenant?
If you are wanted your user to sign in on both B2B and B2C tenant with same email Yes you can do it.
As you know how to configure it on B2C tenant
Azure B2B allows one organization to invite members from other
organizations to share application access. It’s only one of its
service features. You may know more about B2B user here
Now in your case you can add your user B2C user here in B2B tenant or vice-versa. There is an option on azure portal New Guest User both on B2C and b2B tenant. You can easily add them up.
See the screen shot below:
Once they received invitation they would able to access the resource what they are assigning to.
User Invitation Using MS Graph
You can also do the same operation using Microsoft Graph API
You even can create a Custom user flow for newly added user. For more outline you could check here
Points To Remember For B2B
Before configuring user invitation be care about below notes!
Note: If you still have any confusion about work around for B2B and
B2C you could also refer this document
Recently I am starting to get an error when trying to invite a guest user to my Azure AD B2C tenant, for only user from a specific domain. The reason i'm inviting is to share the administration process with the specified user.
The error i'm getting is: User account is disabled
So far what I've tried:
Using the Users > New guest user" UI in Azure AD blade.
Using the "Organizational relationships > New guest user" UI in Azure AD blade.
Using the Users > New guest user" UI in Azure AD B2C blade.
Using graph api invitations endpoints.
Observation: Only happen for user from specific domain (External Azure D) but works for those with Microsoft account.
Just for everyone's benefit here I'm posting the answer after consulting with Microsoft support.
There are 2 possible issues that might cause you unable to invite the Guest user to the Azure AD:
Users are not properly deleted. When you search for the user email, it might not be visible in the UI, but still unable to invite. It's partly because the UI has some limited search capabilities (exact/startswith email or name only).
Solution: You can use graph api to query for the user. You should definitely try to look for the user based on the OtherMails field.
User you're trying to invite is from an Azure AD tenant that is also one of identity provider trusted in your Azure AD B2C. This is the cause of the issue with my implementation that I found.
When the user use their Azure AD credential logging in for the 1st time to my application (Azure AD B2C), a "social account" is created automatically in the Azure AD B2C. This account is created with the UserPrincipalName in the format of cpim_guid#yourtenant.onmicrosoft.com, and AccountEnabled false (disabled). Their Azure AD email will be in the OtherMails property. This is why you can't find the user by their email in the UI, and you have to know the exact name they use in their Azure AD in order to find them.
Solution: If you can find in the UI, typically their MemberType is Member Source is External Azure AD, you can just delete the user. If not, use graph api to query for their email in OtherMails property. Then immediately invite the user as guest. They should have no problem logging in to the B2C application again as the social account will be created automatically.
Note: Ensure that you don't use Azure AD B2C policies that adds additional attributes to the user logging in using social account. If yes, you'd need some other strategy for deleting the user, inviting as guest, recreating the social account, and restoring back the additional attributes.