0
votes

I'm trying to use Azure B2C to authenticate my web app.

I've set it up as multi-tenant - but when someone tries to log in from their work account ([email protected]) then the login shows this error:

AADSTS50020: User account '[email protected]' from identity provider 'https://sts.windows.net/xxxx/' does not exist in tenant 'MyTenant' and cannot access the application 'yyy'(My Tool) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

... if I add [email protected] as a guest user in my B2C Tenant, then this works - John can log in.

Is there a way to enable my application to not require me to add "guest accounts", and just authenticate against any AAD tenant? (leaving authorization up to my app)

1
You configure multi-tenant based on this document: docs.microsoft.com/en-us/azure/active-directory-b2c/…? If yes, note that you need to configure the multi tenant id here: docs.microsoft.com/en-us/azure/active-directory-b2c/…. - Allen Wu
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>. This allows you directly to sign in with the account of tenant 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111. - Allen Wu
Hi did you check what I suggested? - Allen Wu
I agree with @AllenWu, you need to implement custom policies as per the documentation. - Krunal
Thanks for the help guys... I'm looking into this now and will let you know how I go - MG123

1 Answers

0
votes

You should configure multi-tenant based on this document: Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C

You can set multiple AAD as identity providers by following this part.

<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>

This allows you directly to sign in with the account of tenant 00000000-0000-0000-0000-000000000000 and 11111111-1111-1111-1111-111111111111.