0

I need to synchronize users from my on-prem AD to an AD B2C tenant. Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.

This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.

How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?

Thanks!

ml123
  • 1,059
  • 2
  • 12
  • 27

2 Answers2

0

Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.

If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.

Steve Newton
  • 1,046
  • 1
  • 11
  • 28
  • I need B2C for two reasons: 1) to take advantage of the user flows and custom policies that are not offered by Azure AD 2) to facilitate additional identity providers, such as FB and Google. But I need to migrate to this tenant existing users that are currently in an on-prem AD, and I want them to be part of the new B2C. – ml123 Aug 30 '22 at 16:05
  • OK, not sure that is what I would do, but your only answer I believe is to duplicate the users by extracting using Graph for example and creating in B2C with Graph also. You lose any single sign-on, and you could create a 'sync' process in terms of users in one or the other. There are powershell scripts out there to connect to Azure, I use one to create B2C in batch from Excel. – Steve Newton Aug 30 '22 at 17:19
0

The easiest way is to use this sample.

"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."

So no button clicking.

However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.

Otherwise, there are some migration samples.

rbrayb
  • 46,440
  • 34
  • 114
  • 174