How to add a federated user that can be authenticated to Azure AD B2C using Graph API

Question

How to add a federated user that can be authenticated to Azure AD B2C using Graph API

Anonymous

Hi There,

I am currently trying to add an existing user that can be federated from AAD to AAD B2C using Graph API within a ASP.Net Application, so far I am able to add the user however when trying to authenticate the user I am getting the below error message.

"OpenIdConnectMessage.Error was not null, indicating an error. Error: 'server_error'. Error_Description (may be empty): 'AADB2C99002: User does not exist. Please sign up before you can sign in.

I am using User Flows, specifically the b2c_1_signin and I have configured the OpenID Connect for Identity Providers to link to the Azure Active Directory tenant.

Code snippet below

User's image

I was just wondering if there is something missing? or something extra I need to configure?

Please Let me know

Cheers

Kyle

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-08-11T03:35:00.33+00:00

@Anonymous

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik
Anonymous

2023-08-11T10:47:23.5866667+00:00

Hi Akshay,

Yes that is correct.

I have managed to find the answer to this. When creating the user using graph api I just needed to change the IssueAssignedId to the oid instead. (which is based on the below)

https://stackoverflow.com/questions/66753386/how-to-pre-create-federated-azure-ad-aad-users-in-azure-ad-b2c

and this has worked for me.

Thank you for your reply

Kyle
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-08-11T10:55:39.1633333+00:00

@Anonymous

Thanks for your response, I am posting this as an answer so that other members facing similar issue could be helped. Please "Accept the answer" (Yes), this will help us and others in the community as well.

Thanks,

Akshay Kaushik
Abdullah 5 Reputation points

2024-02-22T11:59:45.75+00:00

Hi Kyle McKinney,
I got a similar scenario where I need to pre create the federated users (as they are going to be migrated from another system). I don't have the "oid" for those users . My question is how do I link and create the "IssuerAssignedId" without oid? I did create the federated user using graph api however its not working.
They only unique claim we got is their "email" address. Thanks in advance Abdullah

Accepted answer

0 additional answers

Your answer

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-08-11T03:35:00.33+00:00

@Anonymous

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

Thanks,

Akshay Kaushik
Anonymous

2023-08-11T10:47:23.5866667+00:00

Hi Akshay,

Yes that is correct.

I have managed to find the answer to this. When creating the user using graph api I just needed to change the IssueAssignedId to the oid instead. (which is based on the below)

https://stackoverflow.com/questions/66753386/how-to-pre-create-federated-azure-ad-aad-users-in-azure-ad-b2c

and this has worked for me.

Thank you for your reply

Kyle
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-08-11T10:55:39.1633333+00:00

@Anonymous

Thanks for your response, I am posting this as an answer so that other members facing similar issue could be helped. Please "Accept the answer" (Yes), this will help us and others in the community as well.

Thanks,

Akshay Kaushik
Abdullah 5 Reputation points

2024-02-22T11:59:45.75+00:00

Hi Kyle McKinney,
I got a similar scenario where I need to pre create the federated users (as they are going to be migrated from another system). I don't have the "oid" for those users . My question is how do I link and create the "IssuerAssignedId" without oid? I did create the federated user using graph api however its not working.
They only unique claim we got is their "email" address. Thanks in advance Abdullah

Answer 1

@Anonymous

From above description I could understand that you are creating a user account in Azure B2C with Graph API however the signin fails with error User does not exist. Please sign up before you can sign in.

Please do correct me if this is not the case by responding in the comments section.

When you create a create a user with social and local account identities this creates a new B2C local user which can sign in with email address. In order to get the user sign in with federated account, you need to use A B2C IEF Custom Policy which links a Federated login against a pre-created Local Account

This scenario is helpful when requiring to pre-create accounts for users who will use a federated logon option. This sample allows a user to be created up front, adding any extension attributes to the user, ready for their first logon. This could include any Id's required to login to the Application that already exist from a system that you maybe migrating from. It may also include doing any group assignments up front.

The user would only need to be sent a link to the B2C logon page, where they will be sent to their federated provider by use of the domain_hint parameter to automatically choose the IdP. Once the user authenticates at their federated IdP, B2C will use the claims to lookup the user in the B2C directory. If the user is found, the AlternativeSecuirtyId is written to the account and allows the user to logon with the pre-created account.

Thank,

Akshay Kaushik

Share via

How to add a federated user that can be authenticated to Azure AD B2C using Graph API

0 additional answers

Your answer