Can we add a email address validation while configuring policies for signup/signin pages on Azure Active Directory B2C? We require that users should register email addresses only from one specific account (#xyz.com) and not their social accounts.
Related
This MS Tutorial Registering SPA missing this piece. What's the difference
• The documentation you are referring to is regarding the registration of a ‘Single Page Application (SPA)’ in Azure AD B2C. Thus, it directly refers to registering the application in an Azure AD B2C tenant/directory. The documentation doesn’t state where to register the application in Azure AD B2C because it considers that the sign into the Azure AD B2C tenant is through a local Azure AD B2C account or a work/school account and not through a social account or a private/personal account.
• You are getting that option because maybe you are registering your first application in that Azure AD B2C tenant/directory. As when you create a new Azure AD B2C tenant with a free tier Azure AD subscription and register your first application, you get that prompt to confirm where to associate your application with.
• Also, it might be because you are signed into the Azure AD B2C tenant with a user account who was invited to sign up into Azure AD B2C or the user has been created using his personal/public email ID in the tenant and the user signed up with his personal/social email ID account. Due to which, he has been granted privileges to register an application in that Azure AD B2C tenant and when you (that user) tried to register an application, you are getting that prompt asking whether to register that application in Azure AD B2C directory or associate it with that account with which you have logged in to the Azure AD B2C directory. Thus, this pop up in your case. For more information, you can refer to the link below which describes the account types in Azure AD B2C: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/technical-overview#accounts-in-azure-ad-b2c
I added to my Azure AD B2C option to log in by an external provider - Azure AD. Later on, I added my account from that tenant to Azure AD B2C as external users.
Unfortunately, when I log in, I get "User does not exist. Please sign up before you can sign in.".
When I use a different policy that allows me to sign in, my account is duplicated as Federated Azure Active Directory.
How we can prepopulate Azure AD B2C with external users to avoid signing in new accounts? I would like to move existing data from the tenant and avoid filling in unnecessary data. Moreover, I would like to allow particular users only to be able to log in to our application.
The problem here is that users added via the portal are essentially B2B or portal admin users.
These are not local accounts and hence cannot login to B2C.
If you have users in another AAD tenant that is federated with B2C, you do not have to manually add these users to B2C. A "linked account" (using the #EXT# format) is created when those users authenticate via their Azure AD.
I guess what you are saying is "avoid registering new users."
Azure B2C is for Consumer, not for Azure AD tenant. You should use Azure B2B feature to add guest user to your Azure AD B2C tenant and assign the necessary role/permissions to the guest user.
You could simply choose to use the + New guest user on Azure portal or Microsoft Graph API to add external users.
In single-tenant scenarios, why does Azure AD sign in require that the user provide the domain?
Because you can have multiple domains registered in AAD,
and most organizations have users with more than one domain name.
When you log in, you must specify your user principal name.
Same as when logging in to on-prem AD, you'd use e.g. CONTOSO\username or username#contoso.com.
Setting a default is not possible, and is usually not desired.
It looks like what I should be looking at is Azure AD B2C.
From this MSFT FAQ:
What are local accounts in Azure AD B2C? How are they different from
work or school accounts in Azure AD? In an Azure AD tenant, users that
belong to the tenant sign-in with an email address of the form
#. The is one of the verified
domains in the tenant or the initial <...>.onmicrosoft.com domain.
This type of account is a work or school account.
In an Azure AD B2C tenant, most apps want the user to sign-in with any
arbitrary email address (for example, joe#comcast.net, bob#gmail.com,
sarah#contoso.com, or jim#live.com). This type of account is a local
account. We also support arbitrary user names as local accounts (for
example, joe, bob, sarah, or jim). You can choose one of these two
local account types when configuring identity providers for Azure AD
B2C in the Azure portal. In your Azure AD B2C tenant, click Identity
providers and then select Username under Local accounts.
I have created a B2C directory in Azure AD. It added my AD User from the main directory to that directory when creating the directory. I have configured it to utilize the signup-signin policy and that appears to be working because I was able to create an account and it logged me as the account was created. It is my understanding that the account that creates the directory is considered the owner of the directory and is identified as any other user. Is that correct? Anyway, I would think that I could log in as that user but it cannot even find the account.
The initial user that creates an Azure AD B2C tenant is associated as a guest user, via the Global Administrator role, with the Azure AD B2C directory.
A Global Administrator user can administer the Azure AD B2C directory, policies, and other Azure AD B2C settings.
A guest user cannot be authenticated by a sign-in policy because this policy is scoped to users that are created as local and social account users.
I'm using Azure Active Directory Domain Services (AADDS) and need user's reachable email address information from it via LDAP (typically with mail attribute, but other attributes would also work) to give user identities to some classic web services. How can I set each user's email address in the Azure AD tenant which backs the AADDS?
I can see some email address settings in each AD user's profile in the Azure Portal, but none of them appear in the AADDS synced with the Azure AD.