Can an invited guest user in Azure AD B2C signin using this Azure AD B2C and access a registered application?
What is the password in this case?
Invited guests are for admin purposes i.e. administer the B2C tenant.
Typically they would be e.g. in another Azure tenant and hence would use the password in that tenant.
Only local users i.e. users created via B2C SUSI policies can access applications.
Related
I'm usign custom policies in Azure.
How to make any new account created as a visitor account and not a member please.
Can someone explain the differences between Guest and Member? What are consequences when creating a user in B2C?
Can't find it in the docs.
we have a choice to create users only with
UserType=Member in Azure AD B2C.
UserType=Guest is a implementation detail of Azure AD B2B which is a
feature of regular Azure AD and it is not supported in Azure AD B2C.
B2c Is designed basically for EXTERNALLY facing apps which have own
app specific login credentials.
and so There is no concept of a GUEST user for a B2C tenant.
If one need GUEST user type of access for B2C users, then they would have to invite them separately to the main AzureAD tenant.
References:
B2C Portal Login, B2C Guest Users - Cloud Identity Architect
Use map UserType with Azure AD Connect cloud sync | Microsoft Docs
can an invited guest user signin using azure ad b2c
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
I'm trying to use Azure B2C to authenticate my web app.
I've set it up as multi-tenant - but when someone tries to log in from their work account (johnsmith#anothercompany.com) then the login shows this error:
AADSTS50020: User account 'johnsmith#anothercompany.com' from identity provider 'https://sts.windows.net/xxxx/' does not exist in tenant 'MyTenant' and cannot access the application 'yyy'(My Tool) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
... if I add johnsmith#anothercompany.com as a guest user in my B2C Tenant, then this works - John can log in.
Is there a way to enable my application to not require me to add "guest accounts", and just authenticate against any AAD tenant? (leaving authorization up to my app)
You should configure multi-tenant based on this document: Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C
You can set multiple AAD as identity providers by following this part.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
This allows you directly to sign in with the account of tenant 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111.
The sample web application is using Azure AD B2C for identity and authentication. Azure AD B2C has been configured with Microsoft as an identity provider. Azure AD B2C will login a user with a personal Microsoft account, but not an Office 365 account with a custom domain name. This is also the email address for the Azure admin, and is even the only user under Home > Azure AD B2C > Users - All users. The email address was under Users by default when the Azure AD B2C resource was created.
Why can't this email address be used to login?
To answer your first question, why can't O365 users login, it's because configuring "Microsoft authentication" only allows personal MS accounts.
To allow O365, you'd need to configure B2C to allow login via Azure AD.
As for why your admin user can't login, it's because there are different types of users in B2C.
Your admin is not a B2C user, and thus cannot login as a local user.
It's confusing since the Users tab shows them all together :/
I added to my Azure AD B2C option to log in by an external provider - Azure AD from my other tenant. Now I try to sign in by following accounts:
What is extremely strange, that I can sign in by external account but with 'normal' account I get:
User account 'rmaziarka#radekmaziarka.onmicrosoft.com' from identity provider 'https://sts.windows.net/****/' does not exist in tenant 'Guests users' and cannot access the application '2e7e5a25-1755-43f6-be9b-76203b654abe'(Auth0) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Why is that? Why I can sign in by invited one, but I cannot by a normal user? I have a tenant with 400 employees. Should I create another tenant and invite all users there?
If you add A tenant as an external provider, the users from A tenant will be able to login. The users from your B2C tenant is recognized as local users, so you need to add Local Account to the identity provider.
Login in your external ad users with social account and login in your b2c tenant users with local account.