I have an Azure AD B2C instance with only myself on it (testing).
My test account shows login activity from America despite myself being in the UK. The timestamps also don't match known activity.
Does anyone know what causes these? It is extremely unlikely that I have been'hacked' so I think this must be some kind of background Microsoft process but can't find any documentation about it.
Not sure what info is useful to debug so let me know and I can update the question.
Example event in Sign in logs below
Date 9/19/2020, 4:08:44 AM
Request ID 39a44f55-5afc-43c8-92b6-d2e515aa0d00
User (Me)
Application CPIM PowerShell Client
Status Success
IP address 17.57.26.66
Location Atlanta, Georgia, US
Conditional access Not Applied
As Dev Mentioned in the comments the activity is related to B2C custom policy user login.
The AAD sign in logs are not meant for B2C. The relevant logs are Audit Logs menu in B2C blade. Those look like AAD logs for the B2C tenant.
Read this article on what we offer for B2C tenants. You can see sign in info about a user into an app using this.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-audit-logs?tabs=applications
Related
In Azure AD B2C, a user flow policy has been created with Twitter identity provider for sign in. On clicking the Twitter icon on sign in page for the application using the user flow policy, the following error is being shown:
I looked into the Azure portal's Audit logs but couldn't find the erroneous correlation Id listed there.
Is there any way I can find what's specifically causing that error so I can look for a solution in right direction?
Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity information about B2C resources, tokens issued, and administrator access. Audit log events are only retained for seven days.
Note: You can't see user sign-ins for individual Azure AD B2C applications under the Users section of the Azure Active Directory or Azure AD B2C pages in the Azure portal. The sign-in events there show user activity, but can't be correlated back to the B2C application that the user signed in to. You must use the audit logs for that
This example image from the Azure portal shows the data captured when a user signs in with an external identity provider, in this case, Facebook:
To view Audit logs:
Sign in to Azure portal
Switch to the directory that contains your Azure AD B2C tenant, and then browse to Azure AD B2C.
Under Activities in the left menu, select Audit logs.
A list of activity events logged over the last seven days is displayed.
To download the list of activity events in a comma-separated values (CSV) file, select Download.
Can I access the B2C error logs with the standard B2C User flows (NOT a custom policy)?
My root problem is that using a default Azure AD B2C User flow, the facebook login doesn't work. To troubleshoot it I need to see the error from B2C.
The final error is
https://my-web-client-url.azurewebsites.net/#error=server_error&error_description=AADB2C%3a+An+exception+has+occurred.%0d%0aCorrelation+ID%3a+1b85d65d-3697-4212-ad7d-ea5fb361783d%0d%0aTimestamp%3a+2019-02-05+16%3a02%3a51Z%0d%0a
But the documentation for seeing the Correlation ID logs is for custom policies, not a default User Flow.
Details:
The only MS documentation on accessing the logs is for custom policies (here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom ). However, I'm not using a custom user flow.
prior to the error I see eight B2C<-->Facebook request/response pairs that return 302, so everything seems to be working up to that point.
Using the Dashboard, the Azure AD B2C audit logs simply says 'B2C received a bad request'. Not very helpful.
My facebook app settings has 'Valid OAuth Redirect URIs' set to "https://my-tenant.b2clogin.com/my-tenant.onmicrosoft.com/oauth2/authresp , as per the AAD B2C documentation.
Appreciate any help, thanks.
As my comment above says, I had to use custom policies to see the logs, and even then the message was "scrubbed".
Turns out the real answer was to change my authentication tenant from my-tenant.b2clogin.com to my-tenant.auth0.com.
I ditched Azure AD B2C entirely, went to Auth0.com. It's working very well and profile pictures are part of the defaults.
Recently I am starting to get an error when trying to invite a guest user to my Azure AD B2C tenant, for only user from a specific domain. The reason i'm inviting is to share the administration process with the specified user.
The error i'm getting is: User account is disabled
So far what I've tried:
Using the Users > New guest user" UI in Azure AD blade.
Using the "Organizational relationships > New guest user" UI in Azure AD blade.
Using the Users > New guest user" UI in Azure AD B2C blade.
Using graph api invitations endpoints.
Observation: Only happen for user from specific domain (External Azure D) but works for those with Microsoft account.
Just for everyone's benefit here I'm posting the answer after consulting with Microsoft support.
There are 2 possible issues that might cause you unable to invite the Guest user to the Azure AD:
Users are not properly deleted. When you search for the user email, it might not be visible in the UI, but still unable to invite. It's partly because the UI has some limited search capabilities (exact/startswith email or name only).
Solution: You can use graph api to query for the user. You should definitely try to look for the user based on the OtherMails field.
User you're trying to invite is from an Azure AD tenant that is also one of identity provider trusted in your Azure AD B2C. This is the cause of the issue with my implementation that I found.
When the user use their Azure AD credential logging in for the 1st time to my application (Azure AD B2C), a "social account" is created automatically in the Azure AD B2C. This account is created with the UserPrincipalName in the format of cpim_guid#yourtenant.onmicrosoft.com, and AccountEnabled false (disabled). Their Azure AD email will be in the OtherMails property. This is why you can't find the user by their email in the UI, and you have to know the exact name they use in their Azure AD in order to find them.
Solution: If you can find in the UI, typically their MemberType is Member Source is External Azure AD, you can just delete the user. If not, use graph api to query for their email in OtherMails property. Then immediately invite the user as guest. They should have no problem logging in to the B2C application again as the social account will be created automatically.
Note: Ensure that you don't use Azure AD B2C policies that adds additional attributes to the user logging in using social account. If yes, you'd need some other strategy for deleting the user, inviting as guest, recreating the social account, and restoring back the additional attributes.
A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
I created a B2C AD in my developer account on Azure.
In this environment I have users created in my personal AD, and users in AD B2C (where the user can log in with: twitter and facebook).
I found an ASP.NET project that logs in to these two ADs, but with two types of logins, one for normal AD and one for AD B2C. And from what I've researched, the only way to log in to these two different ADs is this way.
Does anyone know of a way to make a single login in these two ADs?
You could do it now with custom Azure AD B2C policies. It is however quite an advanced scenario.
Using them you could put all authentication behind B2C. User could choose to sign in against your Azure AD or through Twitter or Facebook on the B2C sign-in page instead of your application.
Custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Documentation on using Azure AD as a provider in B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom
GitHub repo with examples: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies
Thanks for the quick response.
I tried to do this but could not find the settings needed to put Twitter, Google and Microsoft. For Facebook and other AD worked.
I found a post, that Microsoft will soon make available an "Identity Provider" to validate the user in another AD.
For now, I'll put two Sign-in in my application, one for the company's AD and another for the B2C AD.
I am now looking for a way to get the user's profile in AD (Name, First Name, Last Name, Job Title, Departament, ....).
Once this is done, I'm going to make a DEMO and publish it to github, I think this will help a lot of people.