Share via

How to use sign-in for multi-tenant Azure Active Directory in Azure B2C

Michael Washington 911 Reputation points MVP
2020-09-06T23:37:19.887+00:00

I completed this tutorial:

Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C

But I now want to use this in my signup user flow.

At the end of the article they show you how to test it using the "Run now endpoint".

If I select the application I created, for the "Microsoft Account" Identity Provider, using an Azure AD account will still show the error: "That Microsoft account doesn't exist. Enter a different account or get a new one."

So I followed the directions: "Add the Azure Active Directory identity provider"

I created a OpenID Connect Identity Provider pointing to the application created in the Azure B2C tenant, and I also created another one pointing to the application created in my normal Azure tenant, and in both cases, when logging in I get the error:

AADSTS50020: User account '{<!-- -->{user account}}' from identity provider 'https://sts.windows.net/{<!-- -->{user tenant id}}/' does not exist in tenant 'ADefWebserver' and cannot access the application '{<!-- -->{my Azure B2C Tenant id}}'(Blazor Simple Survey AAD) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Is there documentation that tells you what you are supposed to do to fully make this work?

You can try out what I have so far at this link: https://blazorsimplesurvey.azurewebsites.net/AzureADB2C/Account/SignIn

Thank You

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,734 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,481 Reputation points
    2020-09-07T18:03:16.06+00:00

    Hello @Michael Washington ,

    If I understood your requirement correctly, you want to show the Social IDP buttons only and don't want the email address and password field on the signup/signin page. If that is the case, you would need to use the "Social Accounts" policy file templates from the starter pack. Currently, you are using the SocialAndLocalAccounts template.

    Here are some sample application codes to integrate B2C with the application, so that user flow can be triggered from the application.
    https://medium.com/marcus-tee-anytime/azure-ad-b2c-quickstart-with-visual-studio-blazor-563efdff6fdd
    https://learn.microsoft.com/en-us/azure/active-directory-b2c/code-samples

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    2 people found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,481 Reputation points
    2020-09-07T15:23:53.033+00:00

    Hello @Michael Washington ,

    Please make sure the client_ID that you have specified in the Common-AAD technical profile matches with the App ID of the application that you have registered as per the instructions specified under Register an application section of the document. Where you have added https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp as reply url, which is Blazor Simple Survey AAD app in your case. This app must be configured as multi-tenant app as mentioned in step 6 of Register an application section.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments
  2. Michael Washington 911 Reputation points MVP
    2020-09-07T17:04:36.973+00:00

    Hello @AmanpreetSingh-MSFT ,

    I have confirmed in my TrustFrameworkExtensions.xml file that I have the client_id pointing to the Application in my Azure tenant (not the B2C tenant).

    A bit more information:

    After all the set-up I did, following the directions, this OpenID Connect discovery endpoint:
    https://ADefWebserverB2C.b2clogin.com/ADefWebserverB2C.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1A_signup_signin_AAD

    when I click the Run now endpoint:
    https://ADefWebserverB2C.b2clogin.com/ADefWebserverB2C.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin_AAD&client_id=3e4642e1-1934-410e-8162-784b32957010&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login

    Appears to work! (meaning I can log in with any Azure Active Directory tenant).

    My question is how-do-I-make-it-work-in-my-B2C-Application?
    Meaning, how do I take something that works with the "Run now endpoint" button and implement it in my application?

    Thank You!

    0 comments
  3. Michael Washington 911 Reputation points MVP
    2020-09-07T17:43:45.447+00:00

    Hello @AmanpreetSingh-MSFT ,

    In my Blazor app, I changed the "SignUpSignInPolicyId" setting from the orginal:
    "B2C_1_signup"
    to:
    "B2C_1A_signup_signin_AAD"

    Now the login button shows and it works!

    23038-newlogin.png

    However I want the login to look like this:

    23060-oldlogin.png

    Do I need to alter the TrustFrameworkExtensions.xml somehow?

    Thank You!

    0 comments
  4. Michael Washington 911 Reputation points MVP
    2020-09-08T01:43:26.107+00:00

    Hello @AmanpreetSingh-MSFT ,

    Thank you for your assistance!

    0 comments