0

I have a Node.js/Express Azure web app which authenticates with Azure AD B2C.

Users from the following tenants can currently sign in without a problem:

  • Users from the Azure AD B2C tenant
  • Users from the 'home' Azure AD tenant that was used to create the Azure AD B2C tenant

I enabled login for 'home' tenant users by adding the 'home' tenant as an Identity Provider.

The steps for doing this are documented here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow#configure-azure-ad-as-an-identity-provider

Essentially, I was able to add the 'home' tenant as an identity provider by going to:

Azure Portal > Azure AD B2C Tenant > Azure AD B2C > Identity Providers > + New OpenID Connect provider > [ fill in required fields and click 'Save' ]

Then I went to the relevant 'user flow' at:

Azure Portal > Azure AD B2C Tenant > Azure AD B2C > User flows > B2C_1_signin1 > Identity providers > [ check the recently added OpenID connect provider ] > [ click 'Save' ]

I am now attempting to add another Azure AD tenant as an identity provider (using the same steps as above).

In this case it is a tenant associated with the Microsoft Developer Program:

https://developer.microsoft.com/en-us/microsoft-365/dev-program

The following behaviour is occurring (step 5 is where the problem occurs):

  1. Go to the web app URL
  2. Get redirected to user sign in page
  3. Click on the 'Single Sign In' button for the developer tenant
  4. Select my developer tenant email account
  5. Then the page gets 'stuck' loading this URL (the page title just says 'Working...':
https://login.microsoftonline.com/<Microsoft-Developer-Program-Tenant-ID-Here>/reprocess?ctx=********

If I select the 'home' tenant for single-sign-on, rather than the developer program tenant, it quickly redirects from the above URL to the MFA authentication prompt page:

https://<my-azure-b2c-tenant>.b2clogin.com/<my-azure-b2c-tenant>.onmicrosoft.com/oauth2/authresp

But this is not happening when I select the developer program tenant.

The only difference I can see between the 'home' Azure AD tenant and the 'developer program' Azure AD tenant is that, well, the latter is associated with a developer program account.

Is that problematic?

Are 'Microsoft Developer Program' tenants able to be added as Identity Providers in Azure AD B2C?

If they are, any ideas what else needs to be done to get this login working?

PS

I just noticed the login eventually times out with this message on the page:

504.0 GatewayTimeout

And this URL:

https://<my-app-name>.azurewebsites.net/redirect?error=server_error&error_description=*******%3a+User+does+not+exist.+Please+sign+up+before+you+can+sign+in.%0d%0aCorrelation+ID%3*******Timestamp%3a+2023-02-11+08%3a41%3a44Z%0d%0a&state=login
user1063287
  • 10,265
  • 25
  • 122
  • 218

1 Answers1

0

After googling the error some more, it looks like for Azure AD B2C 'single sign on' experiences, the external user first needs to 'sign up' via a 'sign up/sign in' flow:

https://stackoverflow.com/a/71947723

https://stackoverflow.com/a/36663986

I had only implemented a 'sign in' flow because I didn't want anyone to be able to create a user account.

So the answer to my original question is:

Yes, 'Microsoft Developer Program' tenants are able to be added as Identity Providers in Azure AD B2C.

(Not sure how I will proceed - I still don't want to provide a 'sign up' option)

user1063287
  • 10,265
  • 25
  • 122
  • 218
  • I know this is a bit old, but have you tried adding the users manually\automated process and then give them a temporary password they need to change on login? They they can Sign In... password change. – Patrick Mar 06 '23 at 17:17