Add guest user to group during signup flow with azure ad b2b

Manuel Mourato 1 Reputation point
2021-10-01T13:14:44.527+00:00

I have created a signup/signin flow in Azure AD External Identities, using a Google Identity Provider , and added my application to this user flow.
The flow itself works as expected, as during signup the user is created, however after inserting the password, I get the following error :

The signed in user is not assigned to a role for the application

This error makes sense, as during signup the guest user is not added to any group nor given any roles, which it needs to access the application.

My question is, is there a way to give the necessary roles/add the user to a default group during the signup/signin flow process?

Thank you

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,757 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,525 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee
    2021-10-01T22:04:50.383+00:00

    Dynamic Group Membership would be a good solution for you. If the users meet the criteria that you define, they will be automatically assigned to a group. (Note that a Premium P1 license is needed to use this feature.)

    https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule

    You can also create a Powershell script to automatically assign new users to enterprise application. While there isn't an official Microsoft sample that does this, there is a recent blog post here that contains a script that does just this.

    Here is the code sample: Add User To Azure AD Application Powershell

    You could also set "User assignment required" to "No", but that may not suit your scenario.

    Let me know if this helps!

    0 comments No comments