8

I've got an Azure Active Directory B2C up and running and can sign in with users created in the AD that have the form of @.onmicrosoft.com.  So, for example, john.smith@myorganization.onmicrosoft.com, works just fine.  But these user names are unacceptable for external use.  I've also got basic Microsoft Account logins working, so a user with the name of john.smith@comcast.net will work by redirecting through the Microsoft directory.

But I want to allow arbitrary emails for logins.  Using the Azure Portal, how do I add a user and give them a login id of john.smith@somecompany.com?  The document and FAQ indicate that it's possible, but I can't find the option in the Azure portal when I add a user.  What am I missing?

Quark Soup
  • 4,272
  • 3
  • 42
  • 74

2 Answers2

10

Azure AD B2C Users should NOT be created via the Users & Groups blade.

This blade, while available from the Azure AD B2C Edit Settings blade, is meant at this time to be used to manage users for regular (corporate/enterprise) Azure AD. While it is technically possible to create/add users via this blade, you'll end up with undesired/unexpected behavior such as, as you observed, users being created with @tenantname.onmicrosoft.com or having them created as Guests via the Azure AD B2B Collaboration feature that ultimately can't sign in to your Azure AD B2C integrated applications.

In the context of Azure AD B2C, you should only use this blade to browse the users in the tenant, always in read only mode.

To create Azure AD B2C users, you should either:

  • Have the users sign-up by themselves via the Sign-up or unified Sign-up/Sign-in policy.
  • Programatically pre-create the users via the Graph API. For this approach check out this sample which contains a CLI to create users and showcases the code behind it.
Saca
  • 10,355
  • 1
  • 34
  • 47
  • 2
    OK. Big caveat to the option of using the Graph API. Apparently the Microsoft Account credentials don't work with the Powershell commands (go figure!). You apparently need to create an administrator in your active directory (with the form administrator@mytenant.onmicrosoft.com) just to get to first base. – Quark Soup Feb 15 '17 at 14:26
  • Sorry, doesn't work. I followed the instructions to the letter in the sample for the Graph API. I created users with the templates provided (e.g joeconsumer@gmail.com, joe consumer). The users created through the Graph API had a GUID for the username. That is, they were created with the form .mytenant.onmicrosoft.com. Presumably I'm supposed to change the GUID string into something more friendly through the portal. – Quark Soup Feb 15 '17 at 21:23
  • While their UPN will have such value, that's not the value that they'll use while signing in via the B2C signin or unified signup/signin policy. For those they should use the friendly signin name you provided during creation. – Saca Feb 15 '17 at 21:26
  • 1
    I agree. If you go into the new Azure Portal, you see the friendly name. That is, the 'user name' column displays the 'signInNames' from the JSON structure. However, they still don't work. Again, I'm using the exact templates in the Graph API example. Still no joy. – Quark Soup Feb 15 '17 at 22:20
  • How are you attempting to sign them in? – Saca Feb 15 '17 at 22:21
  • **authenticationContext.AcquireTokenAsync** on the client side to get the token, **tokenHandler.ValidateToken** on the server side to validate the token. This scheme works with IDs that I generate from the portal, or Microsoft Accounts, but not local accounts. – Quark Soup Feb 15 '17 at 22:24
  • 3
    Looks like you're using ADAL for sign-in. For Azure AD B2C sign-in, you should use MSAL which doesn't have "AuthenticationContext". See this sample for: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-native-dotnet – Saca Feb 15 '17 at 22:50
  • OK. One more roadblock. The security token generated by MSAL doesn't appear to be compatible with the **tokenHandler.ValidateToken** method: **TokenSignatureKeyNotFoundException:** Signature validation failed. Unable to match 'kid': ... Any ideas or examples of how the server processes this token to validate the user that doesn't involve the MVC plumbing (I have WCF services)? – Quark Soup Feb 16 '17 at 14:18
  • I'll gladly help you with that as well but please create a new question for that and flag this one as answered. Make sure you include the code that you are using. – Saca Feb 16 '17 at 14:51
  • If you edit the answer, I can up-vote it. In the mean time, I've posted the server side of this question at: http://stackoverflow.com/questions/42277852/how-do-you-authenticate-aad-b2c-using-msal. – Quark Soup Feb 16 '17 at 16:37
  • Anything. It's telling me my vote is locked until the answer is edited. I tried to edit, but the moderator rejected it. Just add the link to the MSAL example, I guess. – Quark Soup Feb 16 '17 at 17:17
-1

You can add the user from another organization through the Azure Portal.

After log in to Azure Portal, navigate to Azure Activate Directory -> Users and Groups -> All users, Click Add.

After you input the Name and User name, a text box will show up. In the text box, you can define the invitation message, which will be sent to the mailbox of external user.

enter image description here

Andy Liu - MSFT
  • 575
  • 3
  • 7
  • 1
    Adding users from another organization this way (added to regular Azure AD via the Azure AD B2C collaboration feature) can NOT sign in via Azure AD B2C policies. – Saca Feb 15 '17 at 05:24
  • All this does is direct them to the Microsoft Account sign-up page where they can create a Microsoft Account, and we're back to the original question: how do I allow users to sign-in without a Microsoft Account? – Quark Soup Feb 15 '17 at 11:38