I thought UserPrincipalName (UPN) are single valued per user in the Directory, but when I run an LDAP query for a specific user, I get the UPN: AO0S0020#mydomain.local,
And when running an OAuth (OpenId Connect) authorization against Azure AD (which is synced using AD Connect), I see that the claims UPN for the same user: nati#mydomain.com
What am I missing here?
You are missing the concept of Alternate login id.
It seems your Azure AD connect is configured with alternate login id. Thus the difference.
Related
I'd like create the Azure AD B2B user with email-id For example: UPN as User1#gmail.com instead of User1#.onmicrosoft.com. I can see this is possible on B2C Tenant using Graph API as explained on the post Azure AD B2C - Can we sign-in using email-id instead of UPN - local accounts only custom policy? However, this approach doesn't work getting an error for B2B tenant.
Is there any way to achieve this using Azure B2B portal OR Graph API please? Thanks.
We can create the UPN with the email id of the verified domain in the Azure AD B2B.
For example, we can add the custom domain in Azure AD and make it as primary. Now, we can create users with UPN suffix as your custom domain.
If we cannot verify the domain or to use some personal mail accounts like gmail or yahoo, we can invite the user to Azure AD.
But the UPN seems to be similar to this :
Also, we can enable Sign-in to Azure AD with email as an alternate login ID.
Reference : Sign-in to Azure AD with email as an alternate login ID | Microsoft Docs
I've customers registered to an AD B2C tenant using a local account and I'l like to have them being able to login with those credentials on a different AD B2C tenant. Is it possible to somway federate the two AD B2C so that they can share the same user identity?
I know that it is possible to create custom policy to let an AD B2C use a multi-tenant Azure AD as identity provider, but I think this is not the case if the user identity is stored a local account in the AD B2C itself. 'am I wrong ?
In fact, Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C also works in this case.
I assume that you have B2C tenant A and B. You are configuring custom policy for tenant A. You just need to access https://login.microsoftonline.com/{your B2C tenant B}/v2.0/.well-known/openid-configuration in the broswer and get the value of issuer. And then copy and paste the value into the ValidTokenIssuerPrefixes key of TrustFrameworkExtensions.xml file.
After completing the configuration in the link above, you could use local account from tenant B to log into the application of tenant A.
I have a requirement to integrate multiple external azure active directories into my application(multitenant). Currently I'm using AD B2C. In brief any client purchases my product, should be able to integrate their organization azure active directory with my application and those AD users should be able to login to application without signing up.
One of the approaches i was trying was to validate external azure active directory users by asking client to create applications in their AD for authentication and authorization. But it seems to be a bit tricky since we already have applications created inside B2C tenant we use and securing API with application in B2C Tenant. With having multiple AD s api will need to be secured with multiple ids.How to do this?
second approach was to read the external azure active directory users using graph api and invite them as guest users. But here any of the guest users created couldn't sign into the application even after changing "guest" to "member" User type. Any idea in implementing this?
UPDATE
I did all the steps as in https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom but when i try to login using one of my Azure AD Account after entering the credentials it navigates me to a B2C signup page.That is because i don't have that AD account in my B2C tenant. After doing the signup only i will be able to login to the application and get the token. And the AD user is created in our B2C Tenant with the source
Federated Azure Active Directory
Is there anyway to get rid of navigating to signup page after entering credentials and instead login to the application with the tokens at once so that the user will not be created in our B2C Tenant and validate user from client's Azure AD
You are better off federating AAD B2C with the Azure AD Common endpoint. This allows a single option for any user with an O365 account to login to your service from any Azure AD Tenant.
You can then whitelist tenants such that only your clients' Azure AD accounts are able to login via this single option. Clients only need to provide their TenantId to you.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom
<!-- The key below allows you to specify each of the Azure AD tenants
that can be used to sign in. Update the GUIDs below for each tenant. -->
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/00000000-0000-0000-0000-000000000000,https://sts.windows.net/11111111-1111-1111-1111-111111111111</Item>
Creating separate B2C tenants for individual organizations could be a solution.
You will integrate each Azure AD tenant with the on-premises AD of the organization.
In order to sync both ADs you will need to use Azure AD Connect
(more information here on MSDN: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad#azure-ad-connect-sync-service)
Once ADs are synced your web app will request access and id tokens for individual B2C tenant.
For more information on how to run various user journeys using OIDC read here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc
In single-tenant scenarios, why does Azure AD sign in require that the user provide the domain?
Because you can have multiple domains registered in AAD,
and most organizations have users with more than one domain name.
When you log in, you must specify your user principal name.
Same as when logging in to on-prem AD, you'd use e.g. CONTOSO\username or username#contoso.com.
Setting a default is not possible, and is usually not desired.
It looks like what I should be looking at is Azure AD B2C.
From this MSFT FAQ:
What are local accounts in Azure AD B2C? How are they different from
work or school accounts in Azure AD? In an Azure AD tenant, users that
belong to the tenant sign-in with an email address of the form
#. The is one of the verified
domains in the tenant or the initial <...>.onmicrosoft.com domain.
This type of account is a work or school account.
In an Azure AD B2C tenant, most apps want the user to sign-in with any
arbitrary email address (for example, joe#comcast.net, bob#gmail.com,
sarah#contoso.com, or jim#live.com). This type of account is a local
account. We also support arbitrary user names as local accounts (for
example, joe, bob, sarah, or jim). You can choose one of these two
local account types when configuring identity providers for Azure AD
B2C in the Azure portal. In your Azure AD B2C tenant, click Identity
providers and then select Username under Local accounts.
I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}#{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin#{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a
difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup
federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!