I am attempting to develop an app with only a sign in policy. To the best of my knowledge the supported methods of creating new users for b2c are using the new user dialog on the users page, and with the graph api. Is this correct? Is there a method I'm missing? Which is the preferred method?
When attempting to create users in the new user dialog, usernames become malformed, eg. username#domain.com becomes username_domain.com#EXT##domain.com
The users created through the portal cannot be used by Azure AD B2C. Azure AD B2C uses the 'signin names' property of the user to sign in. The users created through the portal can be used for sign in using AAD (enterprise scenario).
Azure AD B2C has a sample for creating user accounts using AADGraph, which can be used for creating users in cases where only signin is supported.
Create consumer user accounts
Related
I created an Azure AD B2C tenant, added applications to it and configured Postman according to this article:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-2.2
My problem is I can't log in with user accounts which I added to my tenant.
I created two users the user type of them is member ansd source is Azure Active Directory.
But when I try to log in I get back the following error message:
"Invalid username or password."
What should I set up yet?
The users created through the portal cannot be used by Azure AD B2C. Azure AD B2C uses the 'signin names' property of the user to sign in. The users created through the portal can be used for sign in using AAD (enterprise scenario).
As Chris mentioned, one needs to use a Signup policy or Azure AD Graph flow to create a user for b2c to be able to sign in.
Please see this answer
Adding users to Azure B2C without using a sign-up policy
Recently I am starting to get an error when trying to invite a guest user to my Azure AD B2C tenant, for only user from a specific domain. The reason i'm inviting is to share the administration process with the specified user.
The error i'm getting is: User account is disabled
So far what I've tried:
Using the Users > New guest user" UI in Azure AD blade.
Using the "Organizational relationships > New guest user" UI in Azure AD blade.
Using the Users > New guest user" UI in Azure AD B2C blade.
Using graph api invitations endpoints.
Observation: Only happen for user from specific domain (External Azure D) but works for those with Microsoft account.
Just for everyone's benefit here I'm posting the answer after consulting with Microsoft support.
There are 2 possible issues that might cause you unable to invite the Guest user to the Azure AD:
Users are not properly deleted. When you search for the user email, it might not be visible in the UI, but still unable to invite. It's partly because the UI has some limited search capabilities (exact/startswith email or name only).
Solution: You can use graph api to query for the user. You should definitely try to look for the user based on the OtherMails field.
User you're trying to invite is from an Azure AD tenant that is also one of identity provider trusted in your Azure AD B2C. This is the cause of the issue with my implementation that I found.
When the user use their Azure AD credential logging in for the 1st time to my application (Azure AD B2C), a "social account" is created automatically in the Azure AD B2C. This account is created with the UserPrincipalName in the format of cpim_guid#yourtenant.onmicrosoft.com, and AccountEnabled false (disabled). Their Azure AD email will be in the OtherMails property. This is why you can't find the user by their email in the UI, and you have to know the exact name they use in their Azure AD in order to find them.
Solution: If you can find in the UI, typically their MemberType is Member Source is External Azure AD, you can just delete the user. If not, use graph api to query for their email in OtherMails property. Then immediately invite the user as guest. They should have no problem logging in to the B2C application again as the social account will be created automatically.
Note: Ensure that you don't use Azure AD B2C policies that adds additional attributes to the user logging in using social account. If yes, you'd need some other strategy for deleting the user, inviting as guest, recreating the social account, and restoring back the additional attributes.
At the moment Azure AD B2C are not available in all regions. So , If I create Azure AD B2C in a region where it is available, is it possible me to migrate users later into a new Azure AD B2C, which will be created in my region when the Azure AD B2C available in the region?
p.s. copy of https://social.technet.microsoft.com/Forums/en-US/7e42bb1a-7a04-4a62-9864-5c7392f790cf/migrating-azure-ad-b2c-users-from-region-to-region?forum=paas
Currently there is no information from Microsoft as whether they will provide a native export feature within B2C to allow migration between regions. However you can export users between B2C tenants using GraphAPI as per this guide. One issue with this method for local accounts is that passwords cannot be migrated out of a B2C tenant, so you have two options:
Password Reset - You force every user to perform a password reset whether that be via an email sent to every user, or when a user tries to sign in for the first time.
Validate against old tenant - You modify your sign in policy on the new tenant to verify the users email and password combo against the old tenant via a REST API technical profile. If valid you then write the password to the new tenant.
I am seeing duplicate accounts being created using the same Facebook login on Azure AD B2C. My understanding has always been that using the combined sign-up/sign-in policy, if a user taps a social provider, Azure AD B2C will sign them back in using the same Azure AD B2C account if they created it using Facebook rather than creating a new one.
In this case however, I have three examples where 2 Azure AD B2C accounts exist with the same email address, created by the user using Facebook as the authentication mechanism. They share the same name and profile photo but have different Azure AD AD object id's.
There is a known outstanding Facebook issue around expired tokens which was acknowledged by Microsoft and is logged on UserVoice here after a paid developer support issue was logged on the Azure portal: Fix the faulty Facebook integration and more transparency please!
I have logged this here under the request from Azure Support on Twitter:
https://twitter.com/AzureSupport/status/949258937915895809
Please assist - we are very concerned about these issues with regards B2C's integration with a very popular social provider!
Millions of end users use facebook to register and login to apps secured by Azure AD B2C.
If you are sure that the same facebook user(same user id) registered into the b2c app, then it may be possible that you used different facebook Application IDs. In which case you would have different facebook ids presented to b2c, resulting in 2 different Azure AD B2C user accounts.
Alternatively, it is possible that a single facebook user with email joe#email.com registerd into b2c using their facebook login and later selected "local account" and created a local user (non facebook) using the same email joe#email.com. These would appear as 2 different users.
Does anybody know why when I invite users to my Azure AD B2C some of them see different web page after clicking on invitation email? For example, user will #gmail.com will be asked to created Microsoft account but layout of this page will be different if his email would end with #mvrht.net.
I've tried to search anything on web but didn't find anything. Is there some kind of "magic? algorithm that decides this?
Azure AD B2C Users should NOT be created via the Users & Groups blade.
This blade, while available from the Azure AD B2C Edit Settings blade, is meant at this time to be used to manage users for regular (corporate/enterprise) Azure AD. While it is technically possible to create/add users via this blade, you'll end up with undesired/unexpected behavior such as users being created with #tenantname.onmicrosoft.com or having them created as Guests via the Azure AD B2B Collaboration feature (which is what's happening with your #gmail users) that ultimately can't sign in to your Azure AD B2C integrated applications.
In the context of Azure AD B2C, you should only use this blade to browse the users in the tenant, always in read only mode.
To create Azure AD B2C users, you should either:
Have the users sign-up by themselves via the Sign-up or unified Sign-up/Sign-in policy.
Programatically pre-create the users via the Graph API. For this approach check out this sample which contains a CLI to create users and showcases the code behind it.
Source: How do you add a user with a local name in Azure Active Directory B2C?