B2C: How to build custom policy to allow internal users to authenticate with AD and get into the B2C user repo

Johnson, Mark IT 5 Reputation points
2023-09-19T23:21:05.8066667+00:00

Hi Folks,

I'm using a B2C custom policy for an SSO solution for my organization. The app is used by external customers and should be accessible to my internal team members. We would like internal team members to authenticate with their AD credentials, while external customers go through a "SignUp" process.

I registered the B2c app in the AD tenant. I have configured the Claims Provider and the UserJourney that shows the "employee login" link on the SignIn page. The application signin logs show that authentication is successful, but when it comes back to my apps we get an error. It does not appear that the claims expected from AD are being received by the application.

I've read some other responses that indicate the internal users must have a "stub" account in B2C. The best case scenario is that the b2c account for internal users is created automatically. However, if they must go through a "signup" process i'm ok with that (without creating the password) to get them into the B2C user list with an external authentication.

I have a standard User Flow defined that also has the external identity provider configured, and when using that flow the internal user authenticates then is sent into the signup process. How can I replicate that behavior in a custom flow?

<ClaimsProvider>
			<Domain>Employees</Domain>
			<DisplayName>Login using Employee Credentials</DisplayName>
			<TechnicalProfiles>
				<TechnicalProfile Id="AADOpCo-OpenIdConnect">
					<DisplayName>Employee Login</DisplayName>
					<Description>Login with your Credentials</Description>
					<Protocol Name="OpenIdConnect"/>
					<Metadata>
						<Item Key="METADATA">https://login.microsoftonline.com/xxx/v2.0/.well-known/openid-configuration</Item>
						<Item Key="client_id">yyy</Item>
						<Item Key="response_types">code</Item>
						<Item Key="scope">openid profile</Item>
						<Item Key="response_mode">form_post</Item>
						<Item Key="HttpBinding">POST</Item>
						<Item Key="UsePolicyInRedirectUri">false</Item>
					</Metadata>
					<CryptographicKeys>
						<Key Id="client_secret" StorageReferenceId="B2C_1A_ActiveDirectorySecret"/>
					</CryptographicKeys>
					<OutputClaims>
						<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
						<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
						<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
						<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name"/>
						<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
						<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
						<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/>
					</OutputClaims>
					<OutputClaimsTransformations>
						<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
						<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
						<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
						<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
					</OutputClaimsTransformations>
					<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
				</TechnicalProfile>
			</TechnicalProfiles>
		</ClaimsProvider>

User Journey

<UserJourney Id="SignUpOrSignIn">
			<OrchestrationSteps>
				<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
					<ClaimsProviderSelections>
						<ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange"/>
						<ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange"/>
						<ClaimsProviderSelection TargetClaimsExchangeId="EmployeeLogin"/>
					</ClaimsProviderSelections>
					<ClaimsExchanges>
						<ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				<OrchestrationStep Order="2" Type="ClaimsExchange">
					<Preconditions>
						<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
							<Value>objectId</Value>
							<Action>SkipThisOrchestrationStep</Action>
						</Precondition>
					</Preconditions>
					<ClaimsExchanges>
						<ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail"/>						
						<ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword"/>
						<ClaimsExchange Id="EmployeeLogin" TechnicalProfileReferenceId="AADOpCo-OpenIdConnect"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				<OrchestrationStep Order="3" Type="InvokeSubJourney">
					<Preconditions>
						<Precondition Type="ClaimsExist" ExecuteActionsIf="false">
							<Value>isForgotPassword</Value>
							<Action>SkipThisOrchestrationStep</Action>
						</Precondition>
					</Preconditions>
					<JourneyList>
						<Candidate SubJourneyReferenceId="PasswordReset"/>
					</JourneyList>
				</OrchestrationStep>
				<!-- This step reads any user attributes that we may not have received when in the token. -->
				<OrchestrationStep Order="4" Type="ClaimsExchange">
					<Preconditions>
						<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
							<Value>authenticationSource</Value>
							<Value>socialIdpAuthentication</Value>
							<Action>SkipThisOrchestrationStep</Action>
						</Precondition>
					</Preconditions>
					<ClaimsExchanges>
						<ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				<OrchestrationStep Order="5" Type="ClaimsExchange">
					<ClaimsExchanges>
						<ClaimsExchange Id="REST-EnrichToken" TechnicalProfileReferenceId="REST-EnrichToken"/>
					</ClaimsExchanges>
				</OrchestrationStep>
				<OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>
			</OrchestrationSteps>
			<ClientDefinition ReferenceId="DefaultWeb"/>
		</UserJourney>
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,883 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-09-23T00:51:54.26+00:00

    Hello @Johnson, Mark IT , signin trough a Microsoft Entra ID/Azure AD identity provider will automatically create a local (stub) account in the Azure AD B2D tenant (The SelfAsserted-Social technical profile will do the magic), no separate sign-up is required. Please follow the steps detailed in Set up sign-in for a specific Microsoft Entra organization in Azure Active Directory B2C in tandem with Local and social accounts sign-up or sign-in user journey to set it up side by side with local account signin and signup without any errors.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.