Suppressing federated user account creation in AAD B2C when authenticating from AAD IdP

1
votes

We have an AAD B2C set up that allows for external users to login with accounts maintained within AAD B2C. Additionally, internal corporate users will log in using their AAD accounts per https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Have a request to suppress the creation of Federated user accounts within AAD B2C for the internal users authenticating via AAD.

I am assuming I can remove the steps from the UserJourney to stop from writing to the directory.

Has anyone done this successfully? Also, we will lose the audit capabilities withing B2C for these users -- are there any other reasons not to do this?

1
azure-ad-b2c

1 Answers

0
votes

To prevent the federated account having any representation in the B2C directory, remove the user journey step which refers to writeUsingAlternativeSecurityId. The disadvantage is that you can’t write any extension data for this user in the B2C directory, only claims from AAD the AAD token can be flowed into the B2C token and any real time data acquisition via API call in the journey or user input screens. Audit logs will be in tact I terms of the sign in/out requests.

In the OIDC technical profile for Azure Ad federation, add an input parameter called prompt, pass a defaultValue to it of ‘login’. This will force the user to select their account at AAD. Although, if the user has SSO at AAD, they may still not have to provide a password, for example if they are Azure AD domain joined. You’ll need to define a string claim with ID “prompt”.