We have Azure AD in our tenant, being populated by our on premise AD.
We have an external application that is currently using forms based authentication (user accounts are stored in a DB). I'm looking at importing these user accounts into a new Azure B2C directory. I would like to retain the current login ID.
Very basic question: Can B2C users authenticate with both their B2C login ID as well as their UPN like they can in regular Azure AD?
If the user accounts in your database are simply usernames, you can import them as usernames (using the graph API) and then allow users to sign in using usernames.
Related
We have an existing Azure subscription where we run our processing infrastructure. We are setting up a new app to run in the same space, but with a Azure Active Directory B2C. We have the setup working and can create new customer users that can sign in.
We have been unable to determine how to have our own users in the existing company subscription sign in to the new app (powered by the AD B2C) with the same user/email/password.
We think the answer lies somewhere between single sign on and proxy user principal names?
We should also point out that when setting up the AD B2C, an administrator user was set up for the person that set it up. Their account has an issuer of ExternalAzureAD and their user principal name is pretty much their email as a suffix on the active directory domain. Although this user is "linked" (?) to the original user in our original AD, it has a different password, etc. So also not quite what we are looking for. Ideally this user would sign into the B2C with their actual email and password (the same one used in the non B2C original AD).
I tried to reproduce the same in my environment like below:
To allow the users to login with Azure AD credentials, make sure to register the Azure AD B2C application by selecting Accounts in any organizational directory (Any Azure AD directory - Multitenant)
To sign-in to the Azure AD B2C application, try using below authorize and token endpoints accordingly:
Note that, organizations endpoint will allow tenant-level login.
I created an Azure AD user like below:
When I tried to login to the Azure AD B2C Application through Azure AD user credentials, I am able to login successfully.
And the decoded access token contains Azure AD user information like below:
I have a requirement where we want the users to use their social accounts to login into our application (i.e. get an ID Token) through Azure B2C. I configured the Identity Provider and create a user flow for Sign in only. We don't want Users to Sign Up because that through Invitation only. When I use the "Invite User" to the live.com account and the user accepts the invitation and tries to login into the application, I get the below error.
AADB2C99002 User does not exist. Please sign up before you can sign in.
But the user is existing as a Guest User.
When I allow Sign up and the user actually does the Sign-up and then login in, it works.
Questions:
Why isn't the Guest User allowed to access the application? What needs to be done for the same to work?
If it's not possible, I don't want the user to be a "member" to avoid maintaining their credentials. I want the users to use their social accounts only.
As I don't have the requirement of self sign-up and the only invitation-based, how do I achieve my requirement?
Thanks,
Neel
Please see the Overview of user accounts in Azure Active Directory B2C.
Guest account - A guest account can only be a Microsoft account or an Azure Active Directory user that can be used to access applications
or manage tenants.
Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts
can be created by:
The user going through a sign-up user flow in an Azure AD B2C application
Using Microsoft Graph API
Using the Azure portal
Guest account is specifically distinguished from Consumer account. So Guest user can't sign into B2C application directly.
Your three questions are actually the same question: How to log in a social account without managing its credentials?
Please refer to Add an identity provider to your Azure Active Directory B2C tenant.
In order to let live.com account sign in, you need to Set up sign-in with a Microsoft account using Azure Active Directory B2C. Choose the policy type (User flow or Custom policy) you want to find the corresponding steps.
If you need your customers from other social idps such as Facebook, Google and so on, you can find the corresponding article on the left.
I am attempting to develop an app with only a sign in policy. To the best of my knowledge the supported methods of creating new users for b2c are using the new user dialog on the users page, and with the graph api. Is this correct? Is there a method I'm missing? Which is the preferred method?
When attempting to create users in the new user dialog, usernames become malformed, eg. username#domain.com becomes username_domain.com#EXT##domain.com
The users created through the portal cannot be used by Azure AD B2C. Azure AD B2C uses the 'signin names' property of the user to sign in. The users created through the portal can be used for sign in using AAD (enterprise scenario).
Azure AD B2C has a sample for creating user accounts using AADGraph, which can be used for creating users in cases where only signin is supported.
Create consumer user accounts
At the moment Azure AD B2C are not available in all regions. So , If I create Azure AD B2C in a region where it is available, is it possible me to migrate users later into a new Azure AD B2C, which will be created in my region when the Azure AD B2C available in the region?
p.s. copy of https://social.technet.microsoft.com/Forums/en-US/7e42bb1a-7a04-4a62-9864-5c7392f790cf/migrating-azure-ad-b2c-users-from-region-to-region?forum=paas
Currently there is no information from Microsoft as whether they will provide a native export feature within B2C to allow migration between regions. However you can export users between B2C tenants using GraphAPI as per this guide. One issue with this method for local accounts is that passwords cannot be migrated out of a B2C tenant, so you have two options:
Password Reset - You force every user to perform a password reset whether that be via an email sent to every user, or when a user tries to sign in for the first time.
Validate against old tenant - You modify your sign in policy on the new tenant to verify the users email and password combo against the old tenant via a REST API technical profile. If valid you then write the password to the new tenant.
Is it possible to create LinkedIn user in Azure AD B2C using Graph API?
I can see that when I create LinkedIn user using hosted pages, the following user is created in directory
But when I query users endpoint, I don't see any properties on the user object that would say, that he is a LinkedIn user.
It is not a LinkedIn user. It is a user who created an account in your Azure AD B2C using LinkedIn as an identity provider.
For you, as the Azure AD B2C administrator, it does not matter where the user has authenticated. You can not create a user account with a fixed identity provider.