Hi all,
I am trying to figure out how to successfully link an AD directory to my B2C tenant as explained in the MS documentation here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
I have followed all the steps in the MS documentation and it is possible already to sign up and sign in using a standard signup/signin user flow using the account that created the B2C tenant in the first place. So far so good.
The problem is that I get an error message every time I try to run the user flow and log in with AD (using Open Connect) using any other account that exists in the main tenant's AD. The whole reason I have set up this system is so that all users in the main tenant's AD directory can sign up/log in using B2C.
This might be an issue with the user flow. Maybe if you run the user flow from a specific AD account, you can only use the AD button to sign up/sign in using that specific account. This in turn is hard to test because I can also not seem to figure out how to give other users in the main tenant's AD directory access to the entirety of the B2C tenant. If I can get that working, I can run the user flow from a different account to check if using that account I can indeed sign up/sign in using AD single tenant.
I have of course added the account that I'm trying to sign up/sign in with to the AD in the main tenant and I have even added it as a user in the B2C tenant. The account that I'm trying to signup/sign in with using AD single tenant also has, as far as I can tell, the same rights as the account that created the B2C tenant (and thus the account that is able to use the AD signup/signin button).
If anyone knows how to give accounts from the main tenant's AD directory access to the B2C tenant in order to run user flows from those accounts I would be very eternally grateful.
The error that I get is the following:
*edit: It might also be good to note that when I open the B2C tenant from any other account in the AD directory from the main tenant, that it opens up an unknown empty B2C tenant that is in a completely different directory, not linked to the main tenant's subscription. It gives the following error: "User authorization failed. You must have access to 43e68f86-7f91-etc (the unknown directory name)"
*edit 2: I have successfully invited a second user to get access to the B2C tenant (had to do it via email so it's not limited to the AD directory). This user had the ability to run user flows as well and I found out that signing up and signing in during that user flow is only possible with the account that you are running that user flow from. This second user could thus only register and sign in with AD using the email that was registered to that account as well.
This solves half of the puzzle for me. Now I suppose I need to take it further than just running the user flows and find out what limitations in terms of authentication I can set to the sign up and sign in process using this AD openconnect to B2C (I want users from specific AD directories to have access in the first place)