1

Have my public-facing application deployed to Azure. Intended to delegate Authentication to Microsoft, Google, Facebook, Apple etc. So once a user is authenticated as who he claims to be and authentication/ID token returned by that provider, app takes over in authorization/permission etc. Found Microsoft does provide Federation Authentication. So I used sign-in only (assume users all have an account with the 3rd-party providers), set up, Run user flow, tested with my own already existing personal Microsoft outlook.com account not tired to any organizations, and I'm of course not a MS employee, authenticated but receiving

AADB2C99002: User does not exist. Please sign up before you can sign in.

This is how it is set up:

  1. Registered Microsoft.ActiveDirectory
  2. Add/create a Azure AD B2C Tenant and linked it with the subscription
  3. Search for Azure Active Directory, register my app and configure Redirect URI according to MS' format
  4. Switch to the directory created by step 2, Azure AD B2C, config Identity providers using Client ID and Secret from 3
  5. User flow create and run

I've read other threads 1, 2, 3, and Azure AD getting more confused. All I need is third-party authentication, no fancy things like application, custom policy, devices, signals etc.

If I need to invite people first, no way I'd know who will use the app. If invite is not needed, do they have to sign-up before sign-in? My guess is not, because when creating a User flow it has Sign up and sign in and Sign in

enter image description here

Jeb50
  • 6,272
  • 6
  • 49
  • 87
  • Did you run through all the steps here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-user-flow – rbrayb Apr 20 '22 at 02:29
  • @rbrayb That's one of the doc I went through and followed. Seems using `B2C tenant` won't need sign-up first, and `AZ AD B2C` does. But choosing a `B2C tenant` does not have App Registration option. Under Overview there is `Azure AD B2C Settings Open B2C Tenant` link, click on it opens up Azure AD B2C corresponding directory created when this B2C was created. This is where my app is registered, `Identity providers` are set up, `User flows` gives me the error. – Jeb50 Apr 20 '22 at 16:58

1 Answers1

1

assume users all have an account with the 3rd-party providers

It is incorrect to assume that, in the case their account exists in the federated IdP, that they don’t need to sign up in B2C, in fact they do, at least for user flows.

You must create a representation of a federated identity on AAD B2C on the first login of a federated account. A Sign In policy cannot create accounts, hence your error. If you precreated such accounts in B2C (and using user flows), you would be ok.

You need a ‘sign in and sign up’ policy, such that when a user logs in for the first time with a federated provider, AAD B2C can create this representation of the account, that is what we class as the “sign up” portion. The user just experiences a sign in though.

If you simply don’t want to create such representation, you can achieve that with a custom policy.

Or if you want to disable local account sign up, but still allow federated accounts to sign up/in, that can be done with custom policy too.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • If "sign-up" occurs behind the scene when user just sign-in, it's ok with me. _"If you simply don’t want to create such representation, you can achieve that with a custom policy. Or if you want to disable local account sign up, but still allow federated accounts to sign up/in, that can be done with custom policy too."_ So my understanding this err occurs because I'm missing a `custom policy` for just-sign-in flow, right? Is there a tutorial/document for this sign-in-only custom policy? – Jeb50 Apr 23 '22 at 18:24
  • You would take the starter pack for social and local, and remove the step where a user is created in the journey for federated login. Automate the setup [here](https://aka.ms/iefsetup). And read [here](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/SocialAndLocalAccounts/readme.md) about the starter pack, and should become clear how to remove the user-write step. – Jas Suri - MSFT Apr 25 '22 at 07:51