This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 13%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Try to setup Azure AD B2C as Azure AD External Identities
I'm testing the solution with SAML Tester: https://github.com/azure-ad-b2c/saml-sp-tester
With issuer 'urn:federation:MicrosoftOnline'
With Azure AD B2C SAML Technical Profile:
The result is:
AADSTS500082: SAML assertion is not present in the token.
My Saml Assertion is not Signed, but Custom Policy configuration is valid. The SAML Response is signed with Signature SHA-1 - I tested ADFS integration and the SAML Assertion is signed with SHA256.
The response from https://login.microsoftonline.com/login.srf
Request Id: 84d76f44-9256-436b-a7b8-ba0334711d00
Correlation Id: cccc7fe4-b4ac-48a8-b65e-77ebdd0553f9
Timestamp: 2021-12-21T22:35:40Z
Message: AADSTS500082: SAML assertion is not present in the token.
Can you please help me with what part of configuration in Azure B2C is missing or wrong?
Hi @Mateusz Jendza • I did not understand what you mean by "Try to set up Azure AD B2C as Azure AD External Identities". Are you trying to add B2C as SAML IDP to Azure AD as highlighted below?
Could you please elaborate on what is the end goal that you want to achieve?
Hi @AmanpreetSingh-MSFT ,
yes I'm using the flow from your screen. It is only way to federate users from Azure AD B2C into Azure AD (B2B) ?
Hi @Mateusz Jendza • Thank you for the confirmation.
This is not a supported scenario. You cannot federate a domain that is present in the Azure AD environment, i.e., domain_name.onmicrosoft.com or any_verified_domain.com added to any Azure AD tenant. That means you cannot federate your_b2c_tenant.onmicrosoft.com or its verified domain as external IDPs of your Azure AD tenant. This option works only for the domains that are not added to any Azure AD tenant and configured in external IDPs.
As of now, it is possible to add Azure AD tenant as IDP to the B2C tenant but not vice-versa. For this purpose, you can refer to the documentation here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-custom-policy
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
So @AmanpreetSingh-MSFT I can you Octa or AWS Cognito to federate as External Identity for Azure AD?
I need to grant access to PowerBI or other solutions from Azure AD Tenant, can I use PowerBI based on the federation from Azure AD B2C side? Like you mentioned? it is possible to add Azure AD tenant as IDP to the B2C tenant but not vice-versa? There is no on behaf flow flow - so I can use this path?
@Mateusz Jendza • Yes, you can federate Okta or AWS as SAML IDP if these IDPs are configured with the domains that are not present in Azure AD.
Unfortunately, there is no way that you can grant B2C users access to PowerBI. You don't get an option to assign any licenses (PowerBI, O365, etc.) in the Azure AD B2C tenant. The best option, I can think of, is to configure self-service sign-up in your Azure AD tenant and grant those users access to PowerBI.