We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.
Related
I am getting the below error message when my Application (A) is trying to access another application (B) which is hosted in a different Tenant. Both applications have been registered to support multi-tenant access (i.e Accounts in any identity provider or organizational directory (for authenticating users with user flows) within their respective tenant. The microsoft outlook account I am using is associated with both tenants. What am I missing?
'AADSTS650052: The app is trying to access a service 'xxx-xxxx-xxxx' that your organization 'xxx-xxx-xxx' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
In order for an application to authenticate with a tenant, a service principal representing it must exist in that tenant. For multi-tenant apps this is created when you go through authentication to that app on the target tenant. So you need to do a login against your app with the target tenant as the authority.
We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.
Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.
What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?
Thanks for posting your query. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).
For Microsoft Social accounts Azure B2C would suit your requirement.
On Auth0 Admin Console:
Create a web application in Auth0
Copy the client ID and secret
Add a callback URL from your B2C tenant in given format: https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp
Copy the “OpenID Configuration” URI from advance setting.
On Azure B2C tenant:
Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
Input “OpenID Configuration” URI you copied in above step to Metadata URL.
Similarly add client ID and Client secret you copied from Auth0.
Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.
Thanks
I've gathered the following insights since posting my question
Summary
Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts"
See guide of different app types here
Details
Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from Mavric20
I am following a tutorial Build Java apps with Microsoft Graph
and after using my personal account for Azure AD to register the application. I am not able to sign in using my personal account but I set the support account as 'Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts. Any help?
Screenshot
You need to change the /tenant id endpoint to the /common endpoint.
The /tenant id endpoint only allows users with work/school accounts
of a specific Azure AD tenant to log in to the application. It does
not support personal accounts.
Only the /common endpoints will allow personal Microsoft accounts to
log in to the application.
I added to my Azure AD B2C option to log in by an external provider - Azure AD. Later on, I added my account from that tenant to Azure AD B2C as external users.
Unfortunately, when I log in, I get "User does not exist. Please sign up before you can sign in.".
When I use a different policy that allows me to sign in, my account is duplicated as Federated Azure Active Directory.
How we can prepopulate Azure AD B2C with external users to avoid signing in new accounts? I would like to move existing data from the tenant and avoid filling in unnecessary data. Moreover, I would like to allow particular users only to be able to log in to our application.
The problem here is that users added via the portal are essentially B2B or portal admin users.
These are not local accounts and hence cannot login to B2C.
If you have users in another AAD tenant that is federated with B2C, you do not have to manually add these users to B2C. A "linked account" (using the #EXT# format) is created when those users authenticate via their Azure AD.
I guess what you are saying is "avoid registering new users."
Azure B2C is for Consumer, not for Azure AD tenant. You should use Azure B2B feature to add guest user to your Azure AD B2C tenant and assign the necessary role/permissions to the guest user.
You could simply choose to use the + New guest user on Azure portal or Microsoft Graph API to add external users.
I have a requirement to integrate multiple external azure active directories into my application(multitenant). Currently I'm using AD B2C. In brief any client purchases my product, should be able to integrate their organization azure active directory with my application and those AD users should be able to login to application without signing up.
One of the approaches i was trying was to validate external azure active directory users by asking client to create applications in their AD for authentication and authorization. But it seems to be a bit tricky since we already have applications created inside B2C tenant we use and securing API with application in B2C Tenant. With having multiple AD s api will need to be secured with multiple ids.How to do this?
second approach was to read the external azure active directory users using graph api and invite them as guest users. But here any of the guest users created couldn't sign into the application even after changing "guest" to "member" User type. Any idea in implementing this?
UPDATE
I did all the steps as in https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom but when i try to login using one of my Azure AD Account after entering the credentials it navigates me to a B2C signup page.That is because i don't have that AD account in my B2C tenant. After doing the signup only i will be able to login to the application and get the token. And the AD user is created in our B2C Tenant with the source
Federated Azure Active Directory
Is there anyway to get rid of navigating to signup page after entering credentials and instead login to the application with the tokens at once so that the user will not be created in our B2C Tenant and validate user from client's Azure AD
You are better off federating AAD B2C with the Azure AD Common endpoint. This allows a single option for any user with an O365 account to login to your service from any Azure AD Tenant.
You can then whitelist tenants such that only your clients' Azure AD accounts are able to login via this single option. Clients only need to provide their TenantId to you.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom
<!-- The key below allows you to specify each of the Azure AD tenants
that can be used to sign in. Update the GUIDs below for each tenant. -->
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/00000000-0000-0000-0000-000000000000,https://sts.windows.net/11111111-1111-1111-1111-111111111111</Item>
Creating separate B2C tenants for individual organizations could be a solution.
You will integrate each Azure AD tenant with the on-premises AD of the organization.
In order to sync both ADs you will need to use Azure AD Connect
(more information here on MSDN: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad#azure-ad-connect-sync-service)
Once ADs are synced your web app will request access and id tokens for individual B2C tenant.
For more information on how to run various user journeys using OIDC read here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc