1

I am building a multi-tenant SAAS app back by Azure AD B2C and using groups as my tenants. I am now building an admin app to manage the tenants and the only people that should be able to use it are the users in my company AD instance. I have created a sign in user flow with my Azure AD as the only Identity Provider and have registered the apps. The user flow works except I get a AADB2C99002 error returned saying I don't exist in the B2C instance. The problem is that I do exist in the B2C instance because I created it and I am the Global Admin for it. I know from the docs it says that you need to sign up first before you can sign in with an external identity provider but like I said I do have an account already and it is linked to my company AD instance.

Can anyone shed some light on why the B2C instance thinks I don't exist?

Right now I am mulling over my options if I can't find out what the issue is. As I see it there are 2 but not sure either will work.

1) create a combined sign up / sign in policy and delete it after I sign up. Not sure if it will create a duplicate user.

2) create a custom sign in policy - not sure if this would fix the problem.

Andrew Alderson
  • 968
  • 5
  • 16
  • I have the same err using my own existing personal MS email. I see you "I did end up creating a sign up policy to add myself again and then deleted the sign up policy. I see now that it is a different user with a different source. The original user has a source of 'External Azure Active Directory' and the new user has a source of 'Federated Azure Active Directory" Does it mean every new Gmail, Apple and Facebook user have to sign up first? – Jeb50 Apr 20 '22 at 16:24
  • @Jeb50 I am not sure what you mean. This problem I had was trying to use the account (Azure AD corporate account) that I created the directory with to try to log in as a user of an app registered in b2c. To log into an app secured by b2c the account needs to be a Consumer account. See this page for an overview of account types https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-overview?msclkid=98274c3dc1af11ec8c3f34f27e281c7b – Andrew Alderson Apr 21 '22 at 20:15

2 Answers2

1

Ah, this is actually a bit confusing for people I think. The user you have there now is not a B2C user, so it doesn't find it.

It sounds like you'll need a sign up policy, or a custom sign in policy that creates the user if it doesn't exist.

You should be able to create the users ahead of time with a script: https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#CreateLocalAccountUser.

Beginning with version 1.6, Graph API supports creating local and social account users for Azure Active Directory B2C tenants. Unlike users associated with a work or school account, which require sign-in with an email address that contains one of the tenant's verified domains, local account users support signing in with app-specific credentials; for example, with a 3rd-party email address or an app-specific user name. Social account users sign-in using popular social identity providers such as Facebook, Google, LinkedIn or Microsoft Account.

If you are not sure what values to put there, you can make a quick sign up policy, sign up with your user, and observe the data in AAD Graph API.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Thanks. I did end up creating a sign up policy to add myself again and then deleted the sign up policy. I see now that it is a different user with a different source. The original user has a source of 'External Azure Active Directory' and the new user has a source of 'Federated Azure Active Directory' – Andrew Alderson Jan 22 '20 at 20:40
  • I have a similar [issue](https://stackoverflow.com/q/71932856/5063031). Seems using `B2C tenant` won't need sign-up first, and `AZ AD B2C` does. But choosing a `B2C tenant` does not have App Registration option. Under Overview there is `Azure AD B2C Settings Open B2C Tenant` link, click on it opens up Azure AD B2C corresponding directory created when this B2C was created. This is where my app is registered, `Identity providers` are set up, `User flows` gives me the error. – Jeb50 Apr 20 '22 at 16:41
0

If you're aiming to allow a work account (e.g. a local user that is assigned to the global administrator role) or a guest account (e.g. an external user that is assigned to the global administrator role), then you can configure your administration application with Azure AD (not Azure AD B2C) authentication.

To allow for this, you must register your administration application through the Azure AD blade (not the Azure AD B2C blade) in your Azure AD B2C tenant.

Confusing? Yes :), but it does work, if this is what you're needing to do.

Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • I actually realized that a few days ago. I was thinking that I needed to authenticate against my b2c instance because that was the instance I was performing Graph Api operations against. I am now authenticating against my AD tenant and then using a ConfidentialClientApplication to authenticate the graph api operations against my b2c instance – Andrew Alderson Jan 29 '20 at 22:13
  • Chris, I have a similar [issue](https://stackoverflow.com/q/71932856/5063031). Based on your answer, seems using `B2C tenant` won't need sign-up first, but `AZ AD B2C` does. But choosing a `B2C tenant` does not have App Registration. Under Overview there is `Azure AD B2C Settings Open B2C Tenant`, click on it opens up Azure AD B2C directory created when this B2C was created. This is where my app is registered, `Identity providers` are set up, `User flows` gave me the error. – Jeb50 Apr 20 '22 at 16:37