Share via

Enable user to sign in with Email in Microsoft Entra

Ivan Petrovic 0 Reputation points
2024-11-26T21:43:40.94+00:00

Hi,

We are using Microsoft Entra in cloud only (no hybrid or on-premise).

We have tenant in AD B2C with custom policies for SignIn/SignUp and custom policies for Invite/Redeem users.

Our users are internal employees within our company which have home tenant in Microsoft Entra. Occasionally we are inviting those users to be members in another tenant within Azure AD B2C through Invite/Redeem custom policies. Users are able to complete invitation and sign in into Azure AD B2C via their email.

Problem happen when same user who is added to be member in Azure AD B2C tenant try to sign in via https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize using email. Same user is not let to sign in with email but user is allowed to sign in with userPrincipalName.

How to enable to user to sign in using Entra endpoint with email?

Here are identities configuration for sample user which I got from graph api:        

        {
            "signInType": "emailAddress",
            "issuer": "tenant_domain.onmicrosoft.com",
            "issuerAssignedId": "user@company.email"
        },
        {
            "signInType": "userPrincipalName",
            "issuer": "domain.onmicrosoft.com",
            "issuerAssignedId": "******@domain.onmicrosoft.com"
        }
Microsoft Security Microsoft Entra Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator
    2024-12-04T07:01:13.4133333+00:00

    Hello @Ivan Petrovic,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that in your Azure AD B2C tenant, you are inviting users from Entra ID who are internal employees. However, they are unable to sign in using their email addresses when accessing the endpoint https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize. They are only able to log in using their User Principal Name (UPN).

    To enable login with an email address for your Azure AD B2C applications, you should send the token request to the endpoint: https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize? instead of https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize. Please test this configuration and let me know if the issue persists.

    For Entra ID tenants, if you want to enable sign-in with email addresses, this feature can be activated by setting the AlternateIdLogin attribute in the HomeRealmDiscoveryPolicy. You can refer to our documentation for detailed steps on how to configure this for your organization.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.