Develop Reference

Create Office 365 user in Azure B2C using invitation api in microsoft graph

I need to register office 365 users residing in another Azure AD to be created programmatically using microsoft graph API into Azure AD B2C directory. I am successful in creating and logging into local accounts but creating external identity users hasn't been successful. The microsoft documentation is verbose too for this context. The scenario is as under.
Invited the user using invitation API.
User accepts the invitation received in their email and gets redirected to grant permission screen for the app, and then lands on the redirect url.
The user can be seen in Azure B2C users as invited and then external azure ad after invitation acceptance
Problem:
The same user can't login using the Signin flow that works for the local accounts. I noticed the signInIssuerId is also null for this user. The error received states please sign up user first/no account found.
I understand there is some disconnection behind where the invitation is sent but the user is not signed up from the graph api. How can this be achieved? I would hate to know if that would be possible only using IDEF / custom policies
Please help!

The problem is that these are social/federated users, not local ones.
You need to use the "SocialAndLocalAccounts" policies in the starter pack.
Invitations via the API are for B2B users. This type of user is not supported in B2C.
For examples of B2C invitations, look here.

Azure AD B2C and AD Connect

I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!

The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.

Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.

Is it possible to allow all users in a specific AAD tenant to access an app?

Is it possible to allow all users in a specific AAD tenant to access an app?
Something like a tenant trust. Tenant 1 trusts Tenant 2 and I can add 'tenant2\AllUsers' to a permission.
I want to allow all users of a partner tenant (current and future) to be able to access a SharePoint site and a few other apps.
I've looked at B2B but it requires invitations which is hard to manage at scale.
Entitlement management looks nice but requires P2 licenses and has lots of capabilities we just don't need.
Does anyone have a simple way to do a 'tenant trust'? Am I missing something?

Firstly, you have a misunderstanding of "tenant trust".
When we say tenant trust, it means the tenant trusts an app and then the app can access the data of that tenant. There is not a way to make a tenant trust another tenant.
Anyway, using the official admin consent URL you can grant admin consent for a whole tenant to an app.
See Construct the URL for granting tenant-wide admin consent.
https://login.microsoftonline.com/{tenant-id of partner tenant}/adminconsent?client_id={client-id}
Sign in with an admin account from partner tenant and do the admin consent. Then all users from partner tenant can sign in to this app.
For SharePoint user case, you can take advantage of self-enroll service. Please refer to Use SharePoint as a business-to-business (B2B) extranet solution and Create a B2B extranet with managed guests.

AADSTS50020: User account does not exist in tenant

I was able to register an app created by another tenant as an enterprise app of my own tenant.
I signed in to the app as a user, but I got the following error.
AADSTS50020: User account 'test001#testdomain001.onmicrosoft.com' from identity provider 'https://sts.windows.net/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/' does not exist in tenant 'testdomain002' and cannot access the application '55555555-6666-7777-8888-999999999999'(OneDriveAPIBrowser_test001) in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
How can a user of another tenant use it without the application creator tenant performing any processing?

If the Azure AD app is registered in Tenant A and you have add it as an enterprise app into Tenant B, you should use a user from Tenant B to sign in.
In your case, if the registered app is in testdomain001 and added into testdomain002, you need to use a user from testdomain002. User "test001#testdomain001.onmicrosoft.com" is not allowed to sign in to the app in testdomain002 unless it is a guest user of testdomain002.

I tried the steps below and it worked for me.
Go to azure.microsoft.com
Select Free Account.
Sign in with your email.
It will detect that you already have a subscription and give you the option to use it.

Migrating users with social login to Azure AD B2C

I'm trying to migrate user accounts from our database to Azure AD B2C following an article and simple app that's coupled with the article -- see below.
All user accounts we have in our database used social login e.g. Google, LinkedIn and Facebook. I'm looking at the code in the migration app and I don't see any reference to user's social login. I don't see any properties for login type or anything like that.
How will I specify how the user registered in our system and has been using his/her social account to log into our app? The migration structure seems very simple i.e. just name, last name, email, etc.
I do NOT have to use this app but not sure if there's a simpler way to handle this.
The article I'm following is: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-user-migration
And here's a link to the simple migration app: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/scenarios/aadb2c-user-migration

For a social account, Azure AD B2C finds the user object using a composite key that includes the social user identifier (e.g. the "id" claim that is issued by the social identity provider) and the social identity provider name (e.g. "facebook.com").
This composite key is stored in the "alternativeSecurityId" attribute of the user object.
Currently, you can't read or write this "alternativeSecurityId" attribute of the user object using the Azure AD Graph API, which means you can't migrate the social accounts from your existing identity store using a similar method to that described in the user migration guide.

I don't see any reference to user's social login. I don't see any
properties for login type or anything like that.
About migration: Azure AD B2C can let social accounts to sign up and sign in . For your scenario, after migrating users to Azure AD B2C, the users from any social identities can sign in the Application in your Azure AD B2C. (You can also change your policy to check and set the user migration status.)
About where users information are stored: After migrating, all the users can be seen in the Users and Groups of Azure AD B2C. Additional,There is an App called b2c-extensions-app, is visible in App registrations. It is used by the Azure AD B2C service to store information about users and custom attributes.
About Login type: Also, you may want to know which properties for login type you can choose, Email address or Username. This configuration can be done in Azure Portal.
Go to Azure Portal > You B2C tenant > Identity providers > local accounts > Choose Email or User name for sign-up and sign-in.
How will I specify how the user registered in our system and has been
using his/her social account to log into our app? The migration
structure seems very simple i.e. just name, last name, email, etc.
Yes, the migration is very simple. If you want to specify how the users to sign-up and sign-in , you need to built-in Sign-up or Sign-in policies for those users. Also, you can use Custom policies.