I've created an account with different values for both userType=userName and userType=emailAddress.
The documentation says this is allowed, but only the username is recognised during login.
Is this a bug in B2C or have I done something wrong? Thanks
A local account with an array of sign-in names of different sign-in types is allowed and you can log in to the local account with any sign-in name.
If you are creating built-in policies using the Azure AD B2C portal, then you must set the local account mode to "Username", in order to enable log in with any sign-in name.
(Setting this mode to "Username" changes the sign-in form. It doesn't limit logging in with only the "userName" sign-in type.)
You can login either with "user name or email address" of an user. But while you create the user in B2C, you should define the possible array of login names for that particular user.
{"signInNames", new JArray
{
new JObject
{
{"value", "myTest#gmail.com"},
{"type", "emailAddress"}
},
new JObject
{
{"value", "myTestUserName"},
{"type", "userName"}
}
}
}
Also, make sure you change the identity provider as "Local account Sign In" in the SignIn policy.
Related
We are allowing External Azure AD users to signup and login to our application via a custom policy. This creates a shell user in our azure ad org and we use the user's email address under user profile, not the user's UPN from the external AD. If the user's email address is different from their UPN, the shell user in our adb2c org will have the email address as the UPN. We customized the custom policy to return the user attributes from the external AD together with the user attributes from the shell user in adb2c. Our application will detect if there is a change in the name or email address and will update adb2c shell user via Microsoft Graph.
When the user's email address changes, I want to update the shell user in our adb2c org. Since the email address is used as the UPN, how can I update my federated users userPrincipalName in our adb2c shell user via Graph API?
var identities = graphUser.Identities.Select(o => new ObjectIdentity
{
SignInType = o.SignInType,
Issuer = o.Issuer,
IssuerAssignedId = o.IssuerAssignedId,
ODataType = o.ODataType,
AdditionalData = o.AdditionalData
}).ToList();
var federatedIdentity = identities.FirstOrDefault(i => i.SignInType == "federated");
Both of these wont work:
federatedIdentity.IssuerAssignedId = "mynameuser#federatedAAD.org";
or
var updatedUser = new User
{
//other user attributes here
UserPrincipalName = "mynameuser#federatedAAD.org";
};
await _graphServiceClient.Users[idpId]
.Request()
.UpdateAsync(updatedUser);
Thanks in advance!
• You can update the external user identity or shell user identity in Azure AD B2C using Microsoft graph API through the HTTP response interface by using the below commands: -
‘ PATCH https://graph.microsoft.com/v1.0/users/{object id}
{"userPrincipalName":"jdoe#abc.com"} ‘
Where instead of the “jdoe#abc.com”, enter the user principal name of the already created Azure AD B2C shell user or federated user that logs in to Azure AD B2C. Since, the user identity is already created when the user logs in for the first time to use the application created, it needs to update the existing user principal name only which can be done through the above command.
• Also, Microsoft Graph seems not to allow to set userPrincipalName when creating the user for Azure B2C. It will generate the userPrincipalName as {object id}#abc.com. And then you could update the userPrincipalName. Thus, your second command script to create or update the shell user’s UPN didn’t work. As well as ensure to add the federated domain as a verified domain in Azure AD B2C for the above command and options to succeed.
Please refer the below links for more information: -
Pre-Create Federated Users in Azure B2C Using Graph
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http
I'm following the Microsoft tutorial Create a user (local or social account). So I'm trying to create a user from HTTP call, for this I'm sending a similar payload to the tutorial:
{
"accountEnabled": true,
"creationType": "LocalAccount",
"displayName": "Alex Wu",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"signInNames": [
{
"type": "userName",
"value": "AlexW"
},
{
"type": "emailAddress",
"value": "alexw#gmail.com"
}
],
"userIdentities": [
{
"issuer": "google.com",
"issuerUserId": "MATxTNg5MzYyMzMyMNY1Njc="
}
]
}
My question is how I can generate the issuerUserId as it is necessary for the Google supplier to recognize the user. I'm trying with a random value encode with base64 but when I run the user flow the user it's created again with a duplicate email. I suppose Google don't recognize the issuerUserId.
Update:
Base on Allen Wu answer:
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
I create this issuerUserId with a valid string: 12345678909823456789
As before, I create successfully the user and the source show as Google:
But when I want to log in the account with Google provider
The user is duplicated:
I assume instead of launch Sign in process Azure/Google don't recognize the account's issuerUserId and launch the Sign-up process, for that reason that's why I think issuerUserId might be created by Google.
Some notes:
I'm changed the emails for demo emails, but that is the current
behavior.
I'm only using Google authentication, I don't using email and password fields of the login, because the purpose of the app is only for Social Authentication (Google specifically)
I'm using Sign up and sign in (Recommended) user type flow.
If you have more thoughts about issuerUserId that can help me, let me know, I'll really appreciate.
It's not true.
Based on my test, the user flow won't create a new user which has a duplicate email. (the previous user is created via AAD Graph)
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
And Google / Facebook or any other social idp won't verify it, because this user is created in B2C. It's an B2C local account. ("creationType": "LocalAccount")
Create an B2C local account doesn't mean this user has been created in Google.
I guess that you add Google idp into the user flow and are trying to create a new user in Google rather than B2C.
You should click on the "Sign up now" in user flow to create the local account. Kindly check it.
Update:
As I have mentioned above, the user you created with Azure AD graph is an B2C local account. You should use the default sign in feature to log into that user. B2C will verify your credential.
But when you click on the "Google" to sign in, in fact the Google will verify your credential and will associate your Google account to a new B2C account. It's not a local account.
So they are two different accounts. You can verify this by changing the password of the B2C local account. After changing the password, you still need to use the old password to sign in with the "Google" option. But you will need to use the new password to sign in with the first user (B2C local account).
You can use GET https://graph.windows.net/myorganization/users?api-version to get the two users and find that the issuerUserId of them are different.
I am creating users using the Azure Graph API (using Microsoft.Graph;), and I am seeing issues when I try to add local account users. I want to be able to create an account where the user can log in with a username, such as "jimmy" and not have to specify a domain. I am able to do this with the Azure Portal, but not with Graph API.
When I add users through Graph API, the issue is with the userPrincipalName. I must include a userPrincipalName, and userPrincipalName must include a domain. Conversely, when I create a user account with Azure Portal, I do not specify a userPrincipalName, and the userPrincipalName is created automatically with the format being objectid#mydomain.onmicrosoft.com.
In summary, I want to be able to use the graph API to create a user who can log in as "Jimmy" as I can with the Azure Portal, but I am only able to create a user who can log in as jimmy#mydomain.onmicrosoft.com.
You could generate a GUID and set the UPN to "guid#domain.onmicrosoft.com"? If that's what the portal does, shouldn't it be fine for your app too? If you specify an identity for the user with the username type, they should be able to log in with that.
So you can set the user's identities to something like:
{
"identities": [{
"signInType": "userName",
"issuer": "mydomain.onmicrosoft.com",
"issuerAssignedId": "jimmy"
}]
}
And the UPN can be the generated one with the GUID.
Reference: https://learn.microsoft.com/en-us/graph/api/resources/objectidentity?view=graph-rest-1.0
I am using the Azure AD Graph to programatically crate a User.
My goal is to generate a temp password, then when the try to login with the temp password it immediately forces them to reset their password before proceeding.
I am able to successfully create the user. When I retrieve all users via the Graph, I see my user there. However when I attempt to login with the email/temp password, B2C says invalid email/pass.
What am I missing here?
My JSON looks something like this:
{
"accountEnabled": true,
"signInNames": [
{
"type": "emailAddress",
"value": "yo#yo.com"
}
],
"creationType": "LocalAccount",
"displayName": "Agent47",
"passwordProfile": {
"password": "PassIsTemp1234",
"forceChangePasswordNextLogin": true
},
"country": "USA"
}
You have the following options with the built-in policies.
If you are wanting for the temporary password to be changed on the first sign-in, then you must create a sign-in only policy.
The sign-in only policy handles the forceChangePasswordNextLogin setting by prompting the authenticated user to enter their current and new passwords.
Note: The page UI customization feature that is described by this article is not available to the sign-in only policy.
If the page UI customization feature is important, then you must:
Create a sign-up or sign-in policy.
When creating a local account, set the forceChangePasswordNextLogin to false.
Instruct the new user to "change" their temporary password through the "Forgot your password?" link using a password reset policy.
You can otherwise consider a custom policy from the starter pack that includes a password change step.
I need to programmatically add user account to Azure API Catalog portal.
I use ApiManagementClient class from package Microsoft.Azure.Management.ApiManagement (3.4) and if collection Users does not have a user with a particular e-mail (Azure Active Directory has a user whose username is our company e-mail, for every user that we have in or internal Active Directory)
then I'd try to call Users.CreateAsync which will take a parameter of type UserCreateParameters that consists of Email, FirstName, LastName, State and Password.
The issue here is that my user has been added to the portal manually by administrator and my password was not required for that (as it is an AAD user)
but this method won't let me create a new user if I don't provide a password.
How can I add an AAD user to the API Catalog, from code and without knowing the password. Otherwise, I won't be able to add an API subscription for a user that has not been added to the portal, yet.
We are working a new nuget package, which has support for that. For now, you can use the rest api https://learn.microsoft.com/en-us/rest/api/apimanagement/user/createorupdate
But you would need to know the unique Id of the User in AAD System. The operation above will create a user which can log-in both using AAD or Basic Auth.
{
"properties": {
"firstName": "foo",
"lastName": "bar",
"email": "foobar#mytenant.onmicrosoft.com"
"identities" :[
"provider": "Aad",
"id": "<unique id in AAd Tenant>"
]
}
}