Use MS Work Accounts as a federated account when doing account linking in AAD B2C

Andreas Lindholm 20 Reputation points
2023-02-28T14:45:09.0233333+00:00

I'm working on a custom policy for account linking in AAD B2C. I started with the example found here,

https://github.com/azure-ad-b2c/samples/tree/master/policies/account-linkage-unified

Since my sign in/sign up allows ALL Microsoft tenants to sign up, users have different "Identity Issuer" based on what tenant they used. This causes some issues when it comes to account linking.

In the custom policy example the attribute "Identity Issuer" is checked towards a list of valid IdPs. This is not really viable in my case. Is there a way to check if the "Identity Issuer" starts with "https://login.microsoftonline.com/" to match all account with a federated Microsoft Work Account?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
{count} votes

Accepted answer
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2023-03-06T04:38:29.6266667+00:00

    @Andreas Lindholm ,

    Thank your for your time and patience on this. I was able to review this and investigated through the possibility of using i.e., using https://login.microsoftonline.com**/common/v2.0 instead of https://login.microsoftonline.com/<tenantID>/**v2.0 as an alternative.

    But found that as common is not going towards any endpoint for response, the auth request would not work. So for any Microsoft Azure AD tenant to be used as issuer tenant ID must be defined https://login.microsoftonline.com**/<tenantID>/**v2.0 however if its a live, hotmail, etc account then "live.com" could be be used.

    In addition to my comment with alternative solution above, I would like to thank you for the feedback provided on survey. We found that your recent engagement on this question was rated low.

    However, as we are able to share the verified reason in the post, would you be so kind as to re-evaluate your feedback, rate the overall experience by taking the survey again and provide your experience on this thread please?

    Thanks,

    Akshay Kaushik


2 additional answers

Sort by: Most helpful
  1. Shweta Mathur 27,216 Reputation points Microsoft Employee
    2023-03-02T11:25:51.8+00:00

    Hi @Andreas Lindholm ,

    Thanks for reaching out.

    I understand you are trying to add Microsoft Identity Provider in your Azure AD B2C to sign in users from any Micrsoft account which you can do by setting https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-custom-policy .

    If you are looking to allow sign in users from multiple tenants in Azure AD, then you can use ValidTokenIssuerPrefixes key in the ClaimsProvider element of your custom policy.

    <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item> 
    
    

    Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.


  2. 2023-03-14T18:19:16.55+00:00

    Hello, by default the identityProvider claim for a federated Azure AD account is the iss claim which is unique per Azure AD tenant. In order to be able to use a common isssuer you will need to override the former and set a defaut value for the identityProvider claim. This new constant/static value should be used in the appropiate Azure AD link and unlink technical profiles. Something like this:

    <ClaimsProvider>
      <Domain>Azure AD</Domain>
      <DisplayName>Login using Azure AD</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="AzureAD">
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureAD" AlwaysUseDefaultValue="true" />
          </OutputClaims>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
    
    <TechnicalProfile Id="AzureAD-Unlink">
      <Metadata>
        <Item Key="ClaimValueOnWhichToEnable">
    AzureAD
    azured</Item>
      </Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerToUnlink" DefaultValue="AzureAD" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="linkOrUnlink" DefaultValue="unlink" AlwaysUseDefaultValue="true" />
      </OutputClaims>
    </TechnicalProfile>             
    
    <TechnicalProfile Id="AzureAD-Link">
      <DisplayName>Link Facebook</DisplayName>
      <Metadata>
        <Item Key="ClaimTypeOnWhichToEnable">issuers</Item>
        <Item Key="ClaimValueOnWhichToEnable">AzureAD</Item>
      </Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerToLink" DefaultValue="AzureAD" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="linkOrUnlink" DefaultValue="link" AlwaysUseDefaultValue="true" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateUserIdentityToLink" />
        <OutputClaimsTransformation ReferenceId="AppendUserIdentityToLink" />
      </OutputClaimsTransformations>
    </TechnicalProfile>
    

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.