The sample web application is using Azure AD B2C for identity and authentication. Azure AD B2C has been configured with Microsoft as an identity provider. Azure AD B2C will login a user with a personal Microsoft account, but not an Office 365 account with a custom domain name. This is also the email address for the Azure admin, and is even the only user under Home > Azure AD B2C > Users - All users. The email address was under Users by default when the Azure AD B2C resource was created.
Why can't this email address be used to login?
To answer your first question, why can't O365 users login, it's because configuring "Microsoft authentication" only allows personal MS accounts.
To allow O365, you'd need to configure B2C to allow login via Azure AD.
As for why your admin user can't login, it's because there are different types of users in B2C.
Your admin is not a B2C user, and thus cannot login as a local user.
It's confusing since the Users tab shows them all together :/
Related
I want to build an application where users can log in with their corporate Microsoft / Azure AD account.
For that, I created a Azure AD B2C incl. SignUpSignIn user flow with the "Microsoft Account" identity provider.
Now when I want to log in I get redirected to https://login.live.com/ and can successfully log in with my personal microsoft account. However, if I enter the email address of my corporate account, the error message "This microsoft account is not available" comes up.
The signInAudience of my app registration is set to AzureADandPersonalMicrosoftAccount. So I would expect that also corporate accounts should work?
"Microsoft account" there refers only to personal Microsoft accounts (Outlook/Live/Hotmail accounts).
If you want to only authenticate with one Azure AD tenant, there is guidance for adding that as an identity provider: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow.
Multi-tenant Azure AD authentication could be done with the generic OpenID Connect provider I think: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow
It can also be achieved through custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy.
I'm developing system where any user can login through Microsoft Azure SSO.
I have done following
Create B2C tenant (Initially tried B2B)
Create enterprise application
Set "AzureADandPersonalMicrosoftAccount" for "signInAudience"
Setup SSO with SAML using "https://simplesamlphp.org/"
Now everything is working fine for my account. But if I trying with other personal user (which I haven't added as guest user in my tenant), then it returns error
User account 'user#domain.com' from identity provider 'live.com' does not exist in tenant 'xxxx'
and cannot access the application in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
I want any personal Microsoft user can login through SSO (without adding it as guest user in tenant).
Thanks in advance!
I tried to reproduce the same in my environment and got the below results:
Please note that, if you are creating Enterprise Application in Azure AD b2c Tenant it will be authenticated via Azure Active Directory only not Azure AD b2c.
When I tried to login through Personal Account, I got the same error as below:
As Enterprise Applications authenticate via Azure AD, it is not
possible to authenticate users with personal Microsoft accounts
without adding them as Guest Users.
The only approach is that you add them as Guest users and login to SAML SSO without invitation.
Go to Azure Portal -> External Identities -> External collaboration settings -> Enable guest self-service sign up via user flows
On the left blade, Click on User flows -> New User Flow,
Once the user flow gets created successfully, click on the user flow, select applications and add your application like below:
And try signing to your application with Microsoft Personal Account.
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
I have configured identity provider as described in this documentation
Sign up page shows up as in the photo. When entering existing office 365 email address, it doesn't accept. It only accepts personal Microsoft accounts.
Found an old feature request what was declined.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16849006-aadb2c-integrate-office-365-to-work-with-b2c
Is it still the same OR is there any alternate way ?
Update (couldnt page photo in comment, updating the question)
I chose 2nd option for multi-tenancy from suggestion and now it gives me error
The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
If you want any O365 Account to sign in to your AAD B2C protected app, you need to federate with AAD Multi Tenant using Custom Policies.
https://learn.microsoft.com/en-gb/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=app-reg-ga
Set up sign-up and sign-in with a Microsoft account using Azure Active Directory B2C is only for personal Microsoft accounts.
You should configure Azure AD IDP by following Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C.
Then you can use existing office 365 account to sign in.
Can an invited guest user in Azure AD B2C signin using this Azure AD B2C and access a registered application?
What is the password in this case?
Invited guests are for admin purposes i.e. administer the B2C tenant.
Typically they would be e.g. in another Azure tenant and hence would use the password in that tenant.
Only local users i.e. users created via B2C SUSI policies can access applications.