Error AADSTS50034 when attempting to change password for local Azure AD B2C users with a username from an external domain

0
votes

I am working on Azure AD B2C for my Angular 6 front-end App and consuming Microsoft Graph API in order to change the singed-in user's password. I am getting the access_token using the Authorization Code flow.

It works fine when the user has a username like [email protected], I get an access_token and then call https://graph.microsoft.com/v1.0/users/{id}/changePassword.

But when I try to do the same for users with a username like [email protected] or [email protected], I get an error when acquiring the access_token from Authorization Code flow (grant_type=password). Note: These users are "local" accounts in my AAD B2C tenant

Following is the error message I get:

{
    "error": "invalid_grant",
    "error_description": "AADSTS50034: To sign into this application the account must be 
                          added to the myb2cname.onmicrosoft.com directory.
                          Trace ID: 8fcae061-5088-4393-9e5b-d0a83d1d0a00
                          Correlation ID: 0dc6c906-c54b-4cd8-ae8b-46f3f6118e40
                          Timestamp: 2018-08-01 06:16:55Z",
    "error_codes": [
        50034
    ],
    "timestamp": "2018-08-01 06:16:55Z",
    "trace_id": "8fcae061-5088-4393-9e5b-d0a83d1d0a00",
    "correlation_id": "0dc6c906-c54b-4cd8-ae8b-46f3f6118e40"
}

How can I call changePassword for users who are signed in using the email identity provider (SignIn-SignUp Policy) when their username looks like [email protected] or [email protected] instead of [email protected]?

4
microsoft-graph-apiazure-ad-b2c

4 Answers

0
votes

When an external user signs into your AAD, it does not create a traditional user with a traditional password, it creates a "guest" user. The actual user remains in the originating AAD tenant, your AAD tenant only stores a placeholder for that user.

You cannot change a guest user's password since your AAD doesn't actually have a password assigned to that user. Your AAD holds the authorization (what the user has access to) but relies on the user's AAD for authentication (the user is who they claim to be).

1
votes

It is the expected behavior. You need to understand AD clearly before implementing it.

In Azure AD, to authenticate a user against a Directory, the user should be a part the Active Directory. The users, who are not a part of the Active Directory will not be authenticated. The token gets generated only when the user is authenticated.

Trying to generate a token for a user who is not a part of the Active Directory is similar to logging into Azure Portal with a invalid user account.

0
votes

You can't change passwords for local account users using the Microsoft Graph API because, currently, an Azure AD B2C application can't be registered with the Microsoft Application Registration Portal and, therefore, it can't be used with the Microsoft Graph API.

You should change passwords for local account users using a custom policy.

This means the Azure AD B2C application doesn't have to collect either the current or new passwords for users.

0
votes

I ran in the same situation where I was able to create and update the user in AZURE AD-B2C but not able to delete or reset the password. Because Currently, the Read and write directory data permission does NOT include the ability to delete users or update user passwords

Configure delete or update password permissions for your application

To archive this I had to follow the above link and it worked like a charm.