User token from Azure B2C Tenant

0
votes

I have to migrate users from an Azure Active Directory B2C Tenant (oldtenant) to another (newtenant) using Seamless migration

In the oldtenant I have some "users" (with @oldtenant.onmicrosoft.com) and some "Azure AD B2C users" (with @otherdomain.com).

The "Users" are created with button enter image description here

The "Azure AD B2C users" are created with button enter image description here

I have to retrieve the user access token to check the user's credential to create the user in the newtenant. I used the source code provided here to create an API that uses user's credential to retrieve the user token. I Also create in the oldtenant an app registration to allow the API to access user's info.

When I try to retrieve user token for @oldtenant.onmicrosoft.com it works, but when I try to retrieve the token for an user @otherdomain.com, I obtain the following error:

error_description: "AADSTS50034: The user account {EmailHidden} does not exist in the oldtenant.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.Trace ID: 74d2a027-7011-4ee5-b62e-d022dd861d06.Correlation ID: 07427a5b-494a-44e7-947d-40eb5a4aee66.Timestamp: 2021-05-07 10:22:58Z"

It should work but, I used the code provided by the documentation. I don't understand why it doesn't work.

1
azure-active-directoryazure-ad-b2cazure-ad-b2c-custom-policy

1 Answers

1
votes

When you create a consumer account (B2C account) by using "Create Azure AD B2C user" button, the real user principle name should be like this: {objectID}@oldtenant.onmicrosoft.com although you can sign into B2C with such a mail format [email protected].

The data in the background is actually in this format:

{
    "id": "d5342d11-67e0-46ed-865b-20e3138ecf1f",
    "creationType": "LocalAccount",
    "userPrincipalName": "eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com",
    "identities": [
        {
            "signInType": "emailAddress",
            "issuer": "allentest001.onmicrosoft.com",
            "issuerAssignedId": "[email protected]"
        },
        {
            "signInType": "userPrincipalName",
            "issuer": "allentest001.onmicrosoft.com",
            "issuerAssignedId": "eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com"
        }
    ]
}

In this example, I can sign into B2C with [email protected], but when I need to get the user access token, I need to use eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com.

B2C authentication is different from AAD authentication. And to call Microsoft Graph, we need to use AAD authentication (B2C authentication is not supported to call Microsoft Graph).

In this case, eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com is the UPN you need to use to get user token and call Microsoft Graph.

So you should list your B2C consumer users to find their userPrincipalNames first so that you could take next actions.

You can list B2C consumer users in Microsoft Graph explorer easily.