Based on this question, I need to implement a user flow that enables users to sign up to my Azure AD and then sign in to the Azure Portal to manage everything.
So far I added a user flow with which one can create an account with email, user name and other attributes. While they can use the credential to login to my web app, I'm not sure how do they login to the portal.
It looks like:
Azure AD tenant domain: foo.net
Email of the user: brah#hoge.com
User name: brah
Display name: fuga
Password: piyo
When going to https://portal.azure.com/ and input brah#foo.net in "email", the dialog prompts to input the password. However piyo is declined and he cannot login to the portal.
Also, even he signs in to the portal by using brah#hoge.com (his own azure account), he cannot switch the directory to foo.net.
Besides manually creating a user in Azure AD Blade in the portal, how do I let them to create their account to login to the directory?
To access the Azure portal for managing subscriptions and resources that are linked to an Azure AD tenant, then users must be added as members or guests to this Azure AD tenant.
Users can't be added as consumers to the Azure AD tenant.
You might want to consider either inviting the external users as guests to your Azure AD tenant or providing an online service for the external users to be added as guests to your Azure AD tenant.
Related
We have an existing Azure subscription where we run our processing infrastructure. We are setting up a new app to run in the same space, but with a Azure Active Directory B2C. We have the setup working and can create new customer users that can sign in.
We have been unable to determine how to have our own users in the existing company subscription sign in to the new app (powered by the AD B2C) with the same user/email/password.
We think the answer lies somewhere between single sign on and proxy user principal names?
We should also point out that when setting up the AD B2C, an administrator user was set up for the person that set it up. Their account has an issuer of ExternalAzureAD and their user principal name is pretty much their email as a suffix on the active directory domain. Although this user is "linked" (?) to the original user in our original AD, it has a different password, etc. So also not quite what we are looking for. Ideally this user would sign into the B2C with their actual email and password (the same one used in the non B2C original AD).
I tried to reproduce the same in my environment like below:
To allow the users to login with Azure AD credentials, make sure to register the Azure AD B2C application by selecting Accounts in any organizational directory (Any Azure AD directory - Multitenant)
To sign-in to the Azure AD B2C application, try using below authorize and token endpoints accordingly:
Note that, organizations endpoint will allow tenant-level login.
I created an Azure AD user like below:
When I tried to login to the Azure AD B2C Application through Azure AD user credentials, I am able to login successfully.
And the decoded access token contains Azure AD user information like below:
I have followed this tutorial I want to use this in my signup user flow.
I created OpenID Connect Identity Provider pointing to the app created in the Azure B2C, and I also created another one pointing to the app created in my normal Azure tenant, and in both cases, when I log in I get the error:
AADSTS50020: User account '{<!-- -->{ACCOUNT}}' from identity provider 'https://sts.windows.net/{<;!-- -->{TENANT_ID}}/' does not exist in tenant 'ADefWebserver' and cannot access the application '{<!-- -->{my Azure B2C Tenant id}}'(Blazor Simple Survey AAD) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Is there documentation that tells what you are supposed to do to fully make this work?
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization.
You can add your user account to your tenant 'ADefWebserver' based on the following document.Please follow this document.
I added to my Azure AD B2C option to log in by an external provider - Azure AD from my other tenant. Now I try to sign in by following accounts:
What is extremely strange, that I can sign in by external account but with 'normal' account I get:
User account 'rmaziarka#radekmaziarka.onmicrosoft.com' from identity provider 'https://sts.windows.net/****/' does not exist in tenant 'Guests users' and cannot access the application '2e7e5a25-1755-43f6-be9b-76203b654abe'(Auth0) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Why is that? Why I can sign in by invited one, but I cannot by a normal user? I have a tenant with 400 employees. Should I create another tenant and invite all users there?
If you add A tenant as an external provider, the users from A tenant will be able to login. The users from your B2C tenant is recognized as local users, so you need to add Local Account to the identity provider.
Login in your external ad users with social account and login in your b2c tenant users with local account.
Recently I am starting to get an error when trying to invite a guest user to my Azure AD B2C tenant, for only user from a specific domain. The reason i'm inviting is to share the administration process with the specified user.
The error i'm getting is: User account is disabled
So far what I've tried:
Using the Users > New guest user" UI in Azure AD blade.
Using the "Organizational relationships > New guest user" UI in Azure AD blade.
Using the Users > New guest user" UI in Azure AD B2C blade.
Using graph api invitations endpoints.
Observation: Only happen for user from specific domain (External Azure D) but works for those with Microsoft account.
Just for everyone's benefit here I'm posting the answer after consulting with Microsoft support.
There are 2 possible issues that might cause you unable to invite the Guest user to the Azure AD:
Users are not properly deleted. When you search for the user email, it might not be visible in the UI, but still unable to invite. It's partly because the UI has some limited search capabilities (exact/startswith email or name only).
Solution: You can use graph api to query for the user. You should definitely try to look for the user based on the OtherMails field.
User you're trying to invite is from an Azure AD tenant that is also one of identity provider trusted in your Azure AD B2C. This is the cause of the issue with my implementation that I found.
When the user use their Azure AD credential logging in for the 1st time to my application (Azure AD B2C), a "social account" is created automatically in the Azure AD B2C. This account is created with the UserPrincipalName in the format of cpim_guid#yourtenant.onmicrosoft.com, and AccountEnabled false (disabled). Their Azure AD email will be in the OtherMails property. This is why you can't find the user by their email in the UI, and you have to know the exact name they use in their Azure AD in order to find them.
Solution: If you can find in the UI, typically their MemberType is Member Source is External Azure AD, you can just delete the user. If not, use graph api to query for their email in OtherMails property. Then immediately invite the user as guest. They should have no problem logging in to the B2C application again as the social account will be created automatically.
Note: Ensure that you don't use Azure AD B2C policies that adds additional attributes to the user logging in using social account. If yes, you'd need some other strategy for deleting the user, inviting as guest, recreating the social account, and restoring back the additional attributes.
Does anybody know why when I invite users to my Azure AD B2C some of them see different web page after clicking on invitation email? For example, user will #gmail.com will be asked to created Microsoft account but layout of this page will be different if his email would end with #mvrht.net.
I've tried to search anything on web but didn't find anything. Is there some kind of "magic? algorithm that decides this?
Azure AD B2C Users should NOT be created via the Users & Groups blade.
This blade, while available from the Azure AD B2C Edit Settings blade, is meant at this time to be used to manage users for regular (corporate/enterprise) Azure AD. While it is technically possible to create/add users via this blade, you'll end up with undesired/unexpected behavior such as users being created with #tenantname.onmicrosoft.com or having them created as Guests via the Azure AD B2B Collaboration feature (which is what's happening with your #gmail users) that ultimately can't sign in to your Azure AD B2C integrated applications.
In the context of Azure AD B2C, you should only use this blade to browse the users in the tenant, always in read only mode.
To create Azure AD B2C users, you should either:
Have the users sign-up by themselves via the Sign-up or unified Sign-up/Sign-in policy.
Programatically pre-create the users via the Graph API. For this approach check out this sample which contains a CLI to create users and showcases the code behind it.
Source: How do you add a user with a local name in Azure Active Directory B2C?