1

Is it possible to implement authentication via Azure AD B2C by only configuring a SignIn Policy, without any SignUp or SignUpSignIn policies?

The idea is to add users from the Azure B2C portal instead of allowing users to register themselves via any kind of sign-up form.

When trying to do this I keep getting the following error:

AADB2C99002: User does not exist. Please sign up before you can sign in.

Please help.

It's been already asked here, with no answer: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/20440876-aadb2c99002-user-does-not-exist-please-sign-up-b

tteguayco
  • 766
  • 1
  • 6
  • 16
  • are you using userflows or custom policies. Both modes support a sign in only user flow. – Abhishek Agrawal Jan 20 '21 at 00:14
  • I am using user flows. I want the users to use their already-existing Microsoft or AAD account. Maybe sign in only is possible as you say, but only by creating B2C users (but I want to reuse the already-existing Microsoft account, not to create a new one with a different password). – tteguayco Jan 20 '21 at 07:43

1 Answers1

0

You could sign in with only B2C user. Navigate to Azure AD B2C -> Users in the portal, and there are the users who can sign in.

Add users or invite external user in the portal.

  1. Create a B2C user: enter image description here

enter image description here

  1. Sign in with the user in a "Sign in" user flow:

enter image description here

  1. Return the id token successfully:

enter image description here

Add users or invite external user using Microsoft Graph API.

Create user:

POST https://graph.microsoft.com/v1.0/users
Content-type: application/json

{
  "accountEnabled": true,
  "displayName": "Adele Vance",
  "mailNickname": "AdeleV",
  "userPrincipalName": "AdeleV@contoso.onmicrosoft.com",
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": true,
    "password": "xWwvJ]6NMw+bWH-d"
  }
}

Invite user:

POST https://graph.microsoft.com/v1.0/invitations
Content-type: application/json
Content-length: 551

{
  "invitedUserEmailAddress": "yyy@test.com",
  "inviteRedirectUrl": "https://myapp.contoso.com"
}

You could test them in Graph Explorer.

unknown
  • 6,778
  • 1
  • 5
  • 14
  • Thanks for your answer. Then I assume it's not possible to implement sign in only by using users' already-existing Microsoft/AAD accounts. I necessarily need to create B2C users (and therefore, the password the users use may be different from the password used by their Microsoft/AAD accounts). – tteguayco Jan 20 '21 at 07:44
  • The accounts that I mentioned are Guest accounts or Consumer accounts, see [here](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-overview). If you want to sign Azure AD(Work) account in, try to use Custom Policies to enable sign-in for users from a specific Azure AD, and refer to https://stackoverflow.com/a/49134987/13308381. – unknown Jan 20 '21 at 08:03
  • @PamelaPeng Do you happen to know if Microsoft Graph (via Invitations) can be used to invite Consumer (specifically just Consumer) B2C users to a B2C tenant? I can create such accounts but have not been successful inviting them using Microsoft Graph, either v1 or Beta. Thanks! – IdusOrtus Feb 20 '21 at 03:29
  • 1
    Hi, @IdusOrtus. Invitations API is used to invite external users to your tenant as a guest user. But in your side, you have created a [consumer user](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-overview). If you invite it again, it will return "User name already exists in this directory". – unknown Feb 21 '21 at 13:14
  • @PamelaPeng-MSFT I have a similar [AADB2C99002 issue](https://stackoverflow.com/q/71932856/5063031). Seems using `B2C tenant` won't need sign-up first, and `AZ AD B2C` does. But choosing a `B2C tenant` does not have App Registration. Under Overview there is `Azure AD B2C Settings Open B2C Tenant` link, click on it opens up the corresponding Azure AD B2C directory created when this B2C tenant was created. This is where my app is registered, `Identity providers` are set up, `User flows` gave me the error. – Jeb50 Apr 20 '22 at 16:45