I'm using Get-AzureADUser against a B2C directory, and upon different authentication sessions, the UPN of the same user returns as either
chris#browse.onmicrosoft.com
chris_browse.onmicrosoft.com#EXT##browseb2c.onmicrosoft.com
Seems like this is a bug, since the value of a static entry is changing. What should the UPN of my external account actually be?
This is for an AAD user who has authenticated to a B2C directory.
I can produce screenshots of this occurring.
If you are asking what should the UPN of your external account actually be, the answer is chris_browse.onmicrosoft.com#EXT##browseb2c.onmicrosoft.com. It is a guest user which you have invited into your B2C tenant.
The other one chris#browse.onmicrosoft.com should be a local account which you have registered into the B2C tenant.
Both will be returned by this command Get-AzureADUser. And you can find both on Azure Portal.
If you still have any further concerns, please add your screenshots to make it clearer.
Related
I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!
The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.
Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.
My current directory doesn't have a B2C Tenant, so following this MS Doc to create one for my existing SPA app to fully utilize AZ AD B2C, such as allowing Apple, Google and Twitter authentication.
Registered AzureActiveDirectory in current (Default directory)
Upon creating a new AZ AD B2C tenant, entering my current domain name resulting "Already in use by another directory", I'm forced to create it in a new directory.
Would Suggest you to try with another uqniue or weird name, Might be the custome domain you are trying to to use its already been using by another Azure AD tenants.
Getting the same error like you while creating the Azure AD b2c tenants.
If I have given some unique name like this able to validate successfully.
Note : If you are trying to create a B2C directory rather,you need to have a subscription associated with the account.
You can refer also refer this Microsoft Q&A Discussion where someone already encoutred the same issue.
You can also refer how to create a Azure AD b2c Tenant in default Azure Active Directory Tenant.
It seems a bit weird but it actually worked for me and I could make another tenant with the same name
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
I have a case where I need to list all Azure Active Directories I'm a member of and those I'm invited as a guest user to. Our application is multi-tenant where each tenant have their own Azure Active Directory, and one user can be invited to access the application as another tenant, and should be presented with a UI to switch between tenants/directories like we can do in the Azure Portal.
The first part can be queried using the Azure Resource Manager API for listing tenants which I'm a member of (https://learn.microsoft.com/en-us/rest/api/resources/tenants/list). The response from this API do not include tenants for which I'm only invited as a guest user to though.
Are there any API's that I can call with an access token to query for all Azure Active Directories I have guest access to?
Btw: I'm able to switch between the directories I'm a member of seamlessly using the ng2-adal library, by explicitly setting the tenant in the ADAL configuration object and invoking login() on the ADAL service.
Update:
The answer to my question is that guests must complete the invitation process by following the link in the e-mail that they receive from Azure Ad.
Are there any API's that I can call with an access token to query for
all Azure Active Directories I have guest access to?
Of course you can!
For your case, I also test in my lab with an account that federated from on-premise and Succeeded. So, You it seems like your account is not working in the second tenant.
You can use code grant flow with Azure REST API or implict flow to get access token with has delegated permissions for your account.
I did a test and succeeded:
Hope this helps!
I have 2 tenants:
One for my organization, where I manage users (A)
One that I manage the applications and permissions (B)
My webapp is on tenant A and I configured authentication on the portal using Azure AD on tenant B.
On tenant B I registered the application with only one permission which does not require admin consent: Windows Azure Active Directory > Sign in and read user profile.
When the user logs in he gets the following error:
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I believe that this error should not be raised, since the only permission required by the application doesn't required admin.
EDIT
This is the URL that I am redirected to when I try to access the application when I'm not logged in
https://login.microsoftonline.com/d6ac45af-3289-4f79-a826-27824e1c467d/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Ftechnipfmc-tools-app-test.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=d340f0ed-5eb3-43e8-9a50-c449649f3ee1&scope=openid+profile+email&response_mode=form_post&nonce=1895ec0ffef64447bbb712bdae61c7fb_20170521070654&state=redir%3D%252F
EDIT 2
I found out a solution here:
As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. This will prevent the consent dialog from appearing for every user in the tenant. You can do this from the Azure portal from your application page. From the Settings blade for your application, click Required Permissions and click on the Grant Permissions button.
I don't know why had to do that since I'm only using permissions that don't require admin consent.
There are several potential problems with your setup:
Your authorization request is set to a specific tenant, the one with tenantId d6ac45af-3289-4f79-a826-27824e1c467d. Only users from that tenant will be able to log in. If this tenantId corresponds to the one for your organization, where you manage users (A), then disregard this point. Otherwise you should either replace this with the tenantId of that tenant or with common which will allow users from any tenant to sign in.
Your application is not multi-tenant. For testing purposes, I replaced the tenantId with common and wasn't able to use this with my test tenant due to the following error: AADSTS70001: Application with identifier 'd340f0ed-5eb3-43e8-9a50-c449649f3ee1' was not found in the directory <MY_TEST_TENANT>. This indicates that the application isn't configured as a multi-tenant application. This is something you must explicitly turn on.
Your organization's tenant (A) might have disabled the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be set up in the tenant. To test to see if this is the case, address points #1 (use /common/) and #2 above and try with any other tenant. If you are able to consent with that other tenant but not your organization's tenant, then you'll know that admin consent is required for your organization.
You should check out the How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern article as it explains all of the points above in more detail.
I think that error appears when you are passing "&prompt=admin_consent" in the Login URL.
Even though you are not requesting Admin permissions, if you pass that query string, it will try to show you a consent dialogue so that you can consent on behalf of the whole tenant, which is an operation that only an admin can do.
After creating my B2C Tenant in the legacy portal, when I navigate to the new portal I get the following error:
Verify B2C feature failed: {"message":"CorrelationId: 4645f854-4099-45b3-b2e5-b1b3c0e47353; Your tenant 'XXXXX.onmicrosoft.com' is not authorized to use b2c functionality. Please ensure your tenant is whitelisted"}
So how do I get my tenant whitelisted? I created a second tenant and got the same result.
We do not have whitelisting constraint for B2C Tenants and the error message needs correction. Thanks for reporting and we will fix it. You are hitting the case where user trying to access is not a global admin for the tenant yet. Can you check if you are marked as global admin for the tenant and/or we may have a timing bug on our side? And if you are shown as admin please retry clicking on the Manage B2C Link on the tenants you already created.