With Multi-Factor Authentication enabled Azure portal, it requires users to approve every login in users’ Authenticator App.
When I changed my phone, Authenticator app must be migrated to my new phone. I used Back and Recover function of Authenticator app. I backed up and recovered account details to new phone. As work or school accounts, the migration process requires Additional Security Verification, which requires to rescan all QR codes of all accounts in Authenticator app. I have rescanned all QR codes of work or school accounts that I created.
Now my issue for this migration is Azure AD B2C account. It was created by Azure when I created Azure AD B2C directory. The name of the account in Authenticator app is admin_mydomain.com#EXT##mydomain.onmicrosoft.com. It is not a work or school account. From the name, it may relate to my Azure login account (admin#mydomain.com a work or school account). I have spent many hours for it. But I still don’t know where this special account details stored. So I can’t get the QR code of the account for Authenticator app. I can’t finish my Authenticator app migration.
This account authentication is required when I switch from Azure primary directory to Azure AD B2C directory in Azure portal.
Please help me with this issue. Thanks.
[UPDATE] I just realized that what worked for me, ist the the solution Alfredo R already posted! So I can confirm that this works.
While I'm still struggeling to revalidate my [username]#[custom-domain].onmicrosoft.com account, I think I found a solution for the AAD B2C problem:
Login to https://myaccount.microsoft.com/
Main menu "Securityinformation" will show you registered devices for your current organization
Main menu "Organizations": You should at least see the other organization of the B2C tenant
In the top right menu, click your avatar, and switch organizations, and swtich to the B2C tenant
The UI should be the same, but now your're logged in through the B2C tenant
Go back to "Securityinformation" and add your new device
I was lucky that my old device is still working, so I could switch easily organizations. If you can't switch because of MFA and no access to your old device, I think you still need to disable MFA in the B2C tenant as described the other solution and then turn it back on?
But I think thats the way to get the QR code for a B2C tenant, login to your account and switch to the B2C tenant by switching organizations.
admin_mydomain.com#EXT##mydomain.onmicrosoft.com is the UPN (user principal name) for the user hosted in the Azure B2C tenant for your work account admin#mydomain.com. Scan QR as with others but switching first to the B2C tenant.
There are a few steps need to fix this issue.
Need a global admin account of Azure AD B2C active directory. But You can’t use the one that you are going to migrate. Please create one if there is no other global admin account available.
Go to Azure Active Directory of Azure AD B2C directory. Please click on the Properties in the left main menu. Then go to the bottom of the Properties page. Click on the link: Manage security defaults. Disable security defaults and save on the popup window.
Run local PowerShell as local admin. Run following cmdlet to connect to Azure AD B2C active directory.
PS C:\WINDOWS\system32> Connect-MsolService
MAF login will ask for user name and password. Please use the credential of the global
admin account mentioned above. If there is no error appear, run the following cmdlet:
PS C:\WINDOWS\system32> Set-MsolUser -UserPrincipalName
admin_mydomain.com#EXT##mydomain.onmicrosoft.com -StrongAuthenticationMethods #()
Go back to Azure Active Directory of Azure AD B2C tenant > Properties of the left main menu > the bottom of the Properties page > click the link: Manage security defaults. Enable security defaults and save.
Login to Azure portal with admin#mydomain.com, then switch to Azure AD B2C directory. You will see a popup security setting wizard. That is same wizard as we first set up the directory. Please follow the wizard. You will see the QR code for admin_mydomain.com#EXT##mydomain.onmicrosoft.com. You can scan the QR code to finish the MS Authenticator migration.
Related
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
I recently added an Azure AD B2C tenant to an existing subscription.
Whenever I want to manage that tenant on portal.azure.com, I have to verify my account:
After clicking Next I can only select Mobile app from the dropdown to verify my account. There is no option to verify by phone.
Since this tenant is new, I first have to register it in Microsoft Authenticator by selecting Set up:
This brings up an error message without Correlation ID or timestamp:
There are no Conditional Access policies. In fact, I cannot add any since this tenant does not have Azure AD Premium. Nor does the Azure AD tenant holding the subscription from which this AD B2C tenant was created.
MFA is only required when trying to manage the AD B2C tenant through portal.azure.com, not on other applications, and not when accessing the Azure AD tenant.
Questions:
How can I disable MFA for this AD B2C tenant? And why was it enabled in the first place?
If MFA cannot be disabled, how can I register my device or phone number?
Thx,
The issue is resolved. Not sure if Azure Support took action without notifying, or because of what I did.
Anyway, here are the steps I took:
On portal.azure.com, go to Azure AD > Users > Multi-Factor Authentication.
(It's in the top menu.)
The Multi-Factor Authentication page opens in a new browser window.
Enable MFA for the user account with the issue.
Logon with that account on account.activedirectory.windowsazure.com.
Click your account in the top-right corner to open a dropdown menu and select Profile.
Select 'Additional Security Verification'.
All verification options are available here, including call, text, or use mobile app (Microsoft Authenticator).
Complete the Additional Security Verification and make sure MFA works.
Go back to Azure AD > Users Multi-Factor Authentication, and Disable MFA again.
In our case, MFA was set to Disabled for all users but active anyway, both for local accounts in the AD B2C tenant and External Active Directory accounts.
MFA status of External Active Directory users cannot be changed on the Multi-Factor Authentication page of the AD B2C tenant. This has to be done in the Azure AD page of their respective AD tenant.
The problem is solved, but the cause is undetermined. We do not have an AD Premium subscription and should not have access to the MFA feature at all.
I think your answer #flip is part of the riddle. You're in effect pre-registering your phone number so when forced to setup MFA you're granted the additional TEXT options. We've noticed variations in the AAD join processes where sometimes you're prompted to enter a phone number prior to this step, and sometimes not.
For example if you log on to a device as a local user and join AAD as illustrated you can get both scenarios. I think the same is true for new build as in a previous Test we had to enter a mobile number but I can't recall exactly which scenario.
However, after several more days with Azure support we've managed to isolate root cause if anyone is interested. Turns out MFA IS being enforced through "Security Defaults" (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). MS have actually just updated their article TODAY to clarify.
In effect, disabling Security Defaults will stop the enforcement although be wary not to confuse the prompts with Windows Hello setup as we were (we tested by disabling completely via Group Policy). I'm convinced however this wasn't the case a week ago and something's been changed behind the scenes recently.
Bottom line, you're going to have to deploy MFA in some form to join AAD unless you disable Security Defaults. Not great for endpoint migration but at least we know where it's coming from now.
I think we may have partly figured this out. In our instance, disabling MDM User Scope allowed logon without any 'Additional Security Verification' being enforced. We don't have an InTune subscription either but this is under AAD > Mobility (MDM and MAM). It does mean however, devices aren't enrolled so where exactly MDM is picking up this configuration from is the next question. Will be putting this to Azure support when they call us again tomorrow!
Azure AD tenant comes with security default settings. You will have to disable this setting in the active directory.
Active directory > properties > Manage security defaults > toggle to No
this will disable the default MFA setup.
A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
We are a teeny tiny startup. We were in Bizspark, which has now expired, but we all still have our MSDN accounts at the free level. I have commented our product code, run JsDoc3 on it to generate a documentation website. I put up a free level Web App on Azure. Works fine unauthenticated. I figured I'd throw together a small AD for the few of us in there with our Microsoft accounts, set the authentication of the app to the AD and pow, good to go. It would ask us to log in with our Microsoft accounts and all would be fine. Only we would be able to see the site with our internal code documentation. Seemed to work for me since I created everything. But everyone else I put into the AD can't authenticate. We get this error:
"AADSTS50020: User account 'joe#ourdomain.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'app-id-key' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
I have no idea. I've never used AD before. This is so common, I figure it must be the simplest use-case. I must be missing something stupid. All of my googling and searching Stack Exchange isn't finding me the answer though. Can someone please help me figure this out?
Thanks in advance for your help.
Please ensure you have added the external account successfully in your Azure AD tenant. In my testing , if I haven’t added the external account , I will get the same error message like yours .
To add an exits Microsoft Account to azure ad tenant ,you could follow below steps :
In the classic portal , click users in your azure ad tenant .
Click [Add User] button ,choose type : User with an existing Microsoft account :
After added , you will find the added Microsoft account in azure ad tenant like :
In addition, There are some limitations of Azure AD external users ,for example ,external users can't consent to multi-tenant applications in directories outside of their home directory . You could click here to know more about external users in azure ad.
I've been following this guide to get a B2C AD up and running
Create the B2C directory in the old portal (http://manage.windowsazure.com) ensuring "This is a B2C Directory" is checked.
Register an application in the new portal (http://portal.azure.com) under the B2C blade
Create the sign in policy.
When I try and test the sign in policy with the "Run now" and try and log in with my local account (the same one which has created the B2C AD -- the global administrator for this new AD) all I am met with is "We don't recognize this user ID or password".
What have I missed here?
I am able to reproduce this issue too. If you want to manage the users for the Azure B2C tenant, you can login the classic Azure Portal from here. However, currently there are a couple of known issues with user management (the Users tab) on the Azure classic portal:
Refer here about the Azure Active Directory B2C: Limitations and restrictions.
And if you want Azure AD to enable to login with the default global admin account, you can submit the feedback from here.