I have configured identity provider as described in this documentation
Sign up page shows up as in the photo. When entering existing office 365 email address, it doesn't accept. It only accepts personal Microsoft accounts.
Found an old feature request what was declined.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16849006-aadb2c-integrate-office-365-to-work-with-b2c
Is it still the same OR is there any alternate way ?
Update (couldnt page photo in comment, updating the question)
I chose 2nd option for multi-tenancy from suggestion and now it gives me error
The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
If you want any O365 Account to sign in to your AAD B2C protected app, you need to federate with AAD Multi Tenant using Custom Policies.
https://learn.microsoft.com/en-gb/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=app-reg-ga
Set up sign-up and sign-in with a Microsoft account using Azure Active Directory B2C is only for personal Microsoft accounts.
You should configure Azure AD IDP by following Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C.
Then you can use existing office 365 account to sign in.
Related
We are using signup/signin builtin user flow and want to combine the "forgot password" part into this flow though sspr https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow#self-service-password-reset-recommended
However, the sspr bottun unable to click in user flow property and show a line at the bottom "sspr currently unavailable to support combind local account", am I using the wrong account or APIM needs to do some conf?
I have searched a while and there is no similar case. Has anyone encountered the same problem?
Please check if below are the causes:
Note : In a sign-up and sign-in journey, a user can reset their own
password by using the Forgot your password link. This ability to
reset passwords only apply to local accounts in Azure Active Directory
B2C (Azure AD B2C) i.e; you can only reset your password if you
signed up using an email address or a username with a password for
sign-in .
In case of azure ad, users of SSPR requires one of the following licenses: Azure AD
Premium P1 or P2, Microsoft 365 Business, or Office 365. If you have
a hybrid environment, you also need password writeback into your
on-premises AD. In this case, you’ll need Azure AD Premium P1 or P2
or Microsoft 365 Business.
You may not be able to see password reset menu option if you don't have an Azure
AD license assigned to the administrator performing the operation.
Please check out below references:
Troubleshoot self-service password reset - Azure Active Directory | Microsoft Docs
Frequently asked questions (FAQ) for Azure Active Directory B2C | Microsoft Docs
Azure AD B2C Password Reset - Stack Overflow
I have a AD B2C multi tenant application
I have custom policy which have filtering on my tenant (Microsoft article)
Now on this tenant I invite new users from other tenants (I got "userEmail_contoso.com#EXT##mytenant.onmicrosoft.com)
Why I can't to sign in with external user? It's possible to filtering the tenant but allow external users from same tenant to sign in?
2.
3.
Please see METADATA in the document you shared:
<Item Key="METADATA">https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration</Item>
We can see that it is using common endpoint. common endpoint means users with both a personal Microsoft account and a work or school account from Azure AD can sign in to the application. See reference here.
So although the personal Microsoft account is added into your tenant as a guest user now, it is treated as a personal account when it meets common endpoint. As a result, it is blocked from logging in.
In short, B2C multi-tenancy does not support guest user login.
In order to sign in as a guest user from your tenant, you should look into Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C. You can see that the METADATA is https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration in this document, which should treat your account as guest user.
The sample web application is using Azure AD B2C for identity and authentication. Azure AD B2C has been configured with Microsoft as an identity provider. Azure AD B2C will login a user with a personal Microsoft account, but not an Office 365 account with a custom domain name. This is also the email address for the Azure admin, and is even the only user under Home > Azure AD B2C > Users - All users. The email address was under Users by default when the Azure AD B2C resource was created.
Why can't this email address be used to login?
To answer your first question, why can't O365 users login, it's because configuring "Microsoft authentication" only allows personal MS accounts.
To allow O365, you'd need to configure B2C to allow login via Azure AD.
As for why your admin user can't login, it's because there are different types of users in B2C.
Your admin is not a B2C user, and thus cannot login as a local user.
It's confusing since the Users tab shows them all together :/
I want to access the Azure AD Graph Explorer using my administrator account. When I try to access it, it shows this error:
Selected user account does not exist in tenant graphExplorerMT and cannot access the application d3ce4cf8-6810-442d-b42e-375e14710095 in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
What shall I do?
You should probably try with a user that is internal to the AAD or add your MS account as an external user to it.
The Azure subscription admin is not necessarily part of the Azure Active Directory.
For Azure AD Graph Explorer, you can only use the member account(internal) to sign in, such as xxx.onmicrosoft.com.
You cannot use a guest user account(external) to sign in AAD Graph Explorer.
Solutions:
Try to sign in AAD Graph Explorer with a member account.
According to this answer on Microsoft's forum, this does not work with Microsoft accounts.
Are you trying to sign in using a Microsoft account (outlook/live) into https://graphexplorer.azurewebsites.net/ ?
Azure AD Graph explorer cannot authenticate social accounts and only works with work or school accounts in Azure AD.
You would have to use the latest MS graph, if you want to use MSA accounts
I'm trying to enable the Multi-Factor Authentication on my Azure account, (To secure my access to the Azure portal), i am following the tutorial from here, but, unlike this picture :
I have no Enable button when I select my user:
I've tried to send a csv bulk request with only my user (the email address), but it says user does not exists.
I am trying to add MFA on the user william#[something].com when i'm logged with the william#[something].com MS account (i am the only one user, and i'm global administrator)
In the MFA management page, you can only manage/enable MFA for your own Microsoft Azure AD Accounts, including accounts creating in Azure AD or synced from your on-premise AD; not any Microsoft Account or accounts from other Microsoft Azure AD. As you said you're using a MS account, you surely can't see the enable button.
In Azure Classic Portal, you can easily see if it's a Microsoft account or a Microsoft Azure Active Directory account:
If you want to enable this for your Microsoft account, you need to use Microsoft service at here ,sign in and then click Set up two-step verification.
Follow steps afterwards, you'll enable Two-step Verification it for your Microsoft account.
Of course you can create a new account in your Microsoft Azure Active Directory (Type of User is: New user in your organization), then you can enable MFA for this new user. If you would like a Global Admin, you can click this user and assign user Global Admin role. So then later you can use this admin account for your management work.