This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 48%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hi all,
I am trying to figure out how to successfully link an AD directory to my B2C tenant as explained in the MS documentation here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
I have followed all the steps in the MS documentation and it is possible already to sign up and sign in using a standard signup/signin user flow using the account that created the B2C tenant in the first place. So far so good.
The problem is that I get an error message every time I try to run the user flow and log in with AD (using Open Connect) using any other account that exists in the main tenant's AD. The whole reason I have set up this system is so that all users in the main tenant's AD directory can sign up/log in using B2C.
This might be an issue with the user flow. Maybe if you run the user flow from a specific AD account, you can only use the AD button to sign up/sign in using that specific account. This in turn is hard to test because I can also not seem to figure out how to give other users in the main tenant's AD directory access to the entirety of the B2C tenant. If I can get that working, I can run the user flow from a different account to check if using that account I can indeed sign up/sign in using AD single tenant.
I have of course added the account that I'm trying to sign up/sign in with to the AD in the main tenant and I have even added it as a user in the B2C tenant. The account that I'm trying to signup/sign in with using AD single tenant also has, as far as I can tell, the same rights as the account that created the B2C tenant (and thus the account that is able to use the AD signup/signin button).
If anyone knows how to give accounts from the main tenant's AD directory access to the B2C tenant in order to run user flows from those accounts I would be very eternally grateful.
The error that I get is the following:
*edit: It might also be good to note that when I open the B2C tenant from any other account in the AD directory from the main tenant, that it opens up an unknown empty B2C tenant that is in a completely different directory, not linked to the main tenant's subscription. It gives the following error: "User authorization failed. You must have access to 43e68f86-7f91-etc (the unknown directory name)"
*edit 2: I have successfully invited a second user to get access to the B2C tenant (had to do it via email so it's not limited to the AD directory). This user had the ability to run user flows as well and I found out that signing up and signing in during that user flow is only possible with the account that you are running that user flow from. This second user could thus only register and sign in with AD using the email that was registered to that account as well.
This solves half of the puzzle for me. Now I suppose I need to take it further than just running the user flows and find out what limitations in terms of authentication I can set to the sign up and sign in process using this AD openconnect to B2C (I want users from specific AD directories to have access in the first place)
Hi, we are investigating your issue and will update you shortly.
Best,
James
@Sander Koster
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hi @Sander Koster , is this happening to every user you try to create, or only one? Is the email domain of the user the same as your tenant, or is it external, like gmail? (I see in your screenshot it is the tenant, but was wondering if there were more emails you tried). What subscription type are you using? Is it the free trial? I'm sure you've seen this thread but if not can you see if any of the solutions there can help? There are a few things that can cause this so please let me know and I can help you further.
Best,
James