Share via

User import issue in Azure AD B2C

Selvin Pudusserry 20 Reputation points
2024-10-28T03:44:34.7533333+00:00

Hi Everyone,
I'm new to Azure AD B2C and I've been asked to do user imports from my previous CRM system. I am performing user imports from my previous CRM system, and I have the user data in CSV format. For context, I do not have the users' passwords, so I am assigning a generic password to all of them. For testing purposes, I added some test users to the CSV file provided by Microsoft when attempting to bulk create users. While I can successfully upload the CSV file with the test user information, the user import fails. The error message I receive is: 'Request was unsuccessful. Details: The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.' Why is this happening? Do I need to add custom domains for every possible domain, such as Gmail, Yahoo, Hotmail, etc.? That does not seem feasible. Has anyone had this issue before? Would someone be able to guide me? I have added screenshots of the error. Thank you!
red1

red2

Microsoft Security Microsoft Entra Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2024-11-07T21:28:07.0433333+00:00

    Hi @Selvin Pudusserry , thanks for the follow-up. You will indeed need to use a different approach. You can use the Graph API or PowerShell to achieve this.

    Graph API

    1. Register an Application in Azure AD B2C:
      • Go to the Azure portal and navigate to Azure AD B2C.
      • Select "App registrations" and then "New registration".
      • Provide a name for the app and set the supported account types to "Accounts in this organizational directory only".
      • Once the app is registered, note down the Application (client) ID and Directory (tenant) ID.
      • Under "Certificates & secrets", create a new client secret and note it down.
    2. Grant API Permissions:
      • In the app registration, go to "API permissions".
      • Add permissions for User.ReadWrite.All and Directory.ReadWrite.All under Microsoft Graph.
      • Grant admin consent for the permissions.
    3. Prepare Your CSV Data:
      • Ensure your CSV contains the necessary fields. For example: 
        
     userPrincipalName,displayName,password,signInNames

     ******@gmail.com,User One,Password123,{"type":"emailAddress","value":"******@gmail.com"}

     ******@yahoo.com,User Two,Password123,{"type":"emailAddress","value":"******@yahoo.com"}
    4. Write a Script to Import Users: Here's an example PowerShell script using the Microsoft Graph API to import users: 
      
   # Install the Microsoft.Graph module if not already installed

   Install-Module -Name Microsoft.Graph -Force -AllowClobber

   # Import the module

   Import-Module Microsoft.Graph

   # Connect to Microsoft Graph

   $tenantId = "your-tenant-id"

   $clientId = "your-client-id"

   $clientSecret = "your-client-secret"

   $token = (Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method Post -Body @{

       client_id     = $clientId

       scope         = "https://graph.microsoft.com/.default"

       client_secret = $clientSecret

       grant_type    = "client_credentials"

   }).access_token

   # Read CSV file

   $users = Import-Csv -Path "path-to-your-csv-file.csv"

   # Define API endpoint

   $graphApiUrl = "https://graph.microsoft.com/v1.0/users"

   foreach ($user in $users) {

       $userPayload = @{

           accountEnabled = $true

           displayName = $user.displayName

           mailNickname = $user.displayName

           userPrincipalName = $user.userPrincipalName

           passwordProfile = @{

               forceChangePasswordNextSignIn = $true

               password = $user.password

           }

           signInNames = @($user.signInNames | ConvertFrom-Json)

       }

       $userJson = $userPayload | ConvertTo-Json -Depth 10

       $response = Invoke-RestMethod -Uri $graphApiUrl -Method Post -Headers @{Authorization = "Bearer $token"} -Body $userJson -ContentType "application/json"

       Write-Output $response

   }

    Azure AD PowerShell

    Alternatively, you can use Azure AD PowerShell to achieve the same goal. Here’s a brief example:

    1. Install AzureAD Module: 
      
   Install-Module -Name AzureAD
    2. Connect to Azure AD: 
      
   Connect-AzureAD -TenantId "your-tenant-id"
    3. Script to Create Users: 
      
   # Read CSV file

   $users = Import-Csv -Path "path-to-your-csv-file.csv"

   foreach ($user in $users) {

       $passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

       $passwordProfile.Password = $user.password

       $passwordProfile.ForceChangePasswordNextLogin = $true

       New-AzureADUser -DisplayName $user.displayName `

                       -PasswordProfile $passwordProfile `

                       -UserPrincipalName $user.userPrincipalName `

                       -MailNickName $user.displayName `

                       -AccountEnabled $true `

                       -SignInNames @(@{Type="emailAddress"; Value=$user.userPrincipalName})

   }

    Notes:

    • Sign-in Names: signInNames is crucial in Azure AD B2C as it allows users to sign in with their email addresses, even if the UPN is different.
    • Password Handling: Ensure you handle passwords securely and comply with your organization's password policies.
    • Testing: Always test the script with a few users before running it for the entire dataset.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.
    0 comments
  2. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2024-10-28T18:11:26.8433333+00:00

    Hi @Selvin Pudusserry , essentially, Azure AD B2C wants the domain to be something it knows and trusts, which means it should be a domain that's verified with your Azure AD tenant.

    Azure AD B2C needs the UPNs to use a verified domain. This can be the default onmicrosoft.com domain that comes with your Azure AD tenant, or any custom domain you've verified with Azure AD.

    If you haven't set up a custom domain, you can always fall back on the default one. For instance, if your tenant is called mytenant, your default domain would be mytenant.onmicrosoft.com. So, your CSV file should look something like this:

    userPrincipalName,displayName,password
******@mytenant.onmicrosoft.com,User One,Password123
******@mytenant.onmicrosoft.com,User Two,Password123

    If you're keen on using a custom domain, you'll need to verify it first:

    • Go to the Azure AD portal.
    • Navigate to "Azure Active Directory" > "Custom domain names".
    • Add and verify your custom domain by following the provided steps.

    Make sure the userPrincipalName values in your CSV are using a verified domain, either the default onmicrosoft.com domain or your verified custom domain.

    With your CSV file updated, go ahead and retry the bulk import.

    Here's an example assuming your tenant's default domain is mytenant.onmicrosoft.com:

    userPrincipalName,displayName,password
******@mytenant.onmicrosoft.com,User One,Password123
******@mytenant.onmicrosoft.com,User Two,Password123

    So, you don't need to add custom domains for every possible email provider like Gmail or Yahoo. Just stick with a domain that's verified with your Azure AD tenant. Usually, the default onmicrosoft.com domain should work perfectly fine. Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.