cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
pmarnason
Helper I
Helper I

Is it possible to have external users SSO authenticate using their own AAD credentials?

We want to have clients authenticate using their own AAD credentials, so they don't have to remember yet another password just to use our product.

 

I came across this article which seems to indicate it is indeed possible, while searching on this forum hints at the opposite.

 

So is it possible?

 

EDIT: To make this first post seem less vague, here is some more information:

 

  • This is regarding AAD B2C, since that is recommended over using simply AAD
  • I am using Recommended user flows, since the Standard ones are deprecated in August
  • The B2C tenant as well as the portal environment are completely fresh (created in January)

Finally, I don't HAVE to use B2C nor Recommended user flows. I am only doing so because the documentations keep recommending to do that.

The single only business need we have, is that any user with a Microsoft school or work account should be able to register without entering any credentials, and with as few clicks as possible. So far any user we haven't invited to our B2C tenant beforehand will get an AADSTS50020 error upon using the user flow.

24 REPLIES 24
ragavanrajan
Super User
Super User

Hi @pmarnason , 

 

 Yes it is possible through Azure B2B if you want to allow them to use their own credentials.  I am adding the official docs for you to check how to enable Azure Active directory login. Keep in mind that once you have enabled this option the external users will set in the main "Azure Active Directory tenant" 

 

https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/use-simplified-authentication-con...

Adding our community champion @OliverRodrigues  recent good video for your reference: 

https://www.youtube.com/watch?v=SngdBdEVGBc&ab_channel=PowerCommunity 

 

and another one from EngineeredCode to understand more: 

 

https://www.youtube.com/watch?v=_Gf142b9Aq4&t=54s&ab_channel=EngineeredCode 

 

 

PS: The recommended approach is to enable Azure B2C but you can try the above method also. 

 

Hope it helps. 

------------

If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

Thank you for the links, but I went with the B2C instead.

 

I set up Azure B2C and managed to add an SSO button to the login flow on my portal.

 

Unfortunately, the registration of a user is a very lengthy process:

  1. Invite guest user to B2C tenant
  2. User opens invite link on their email
  3. User is redirected to myapplications.microsoft.com after accepting registration (I am certain this redirect url could/should be changed)
  4. User logs in to portal through SSO button
  5. User has to enter email to get a verification code sent, and after entering the code the user is allowed to register

After this, the SSO button functions as expected.

 

Preferably, we would not have to invite guest users at all, but rather allow anyone to register without any action on our part. It would be even better if it simply happened as the user presses the SSO button, as if they were an invited and registered guest user and portal contact already to begin with.

 

If this is not possible, is there at least a way to avoid the verification code on portal sign up?

 

 

Thank you again for your help.

ragavanrajan
Super User
Super User

Hi @pmarnason ,

 

 You can automate the "Guest user invitation part" if you have sufficient privileges to Azure. 

Please see the blog from Arpit  https://arpitmscrmhunt.blogspot.com/2020/05/add-guest-users-in-azure-active.html. 

 

Regarding the verification code it is security thing: 

 

"A user can choose to remember the browser that successfully passed the verification, so that the security code won't be required the next time the user signs in from the same browser." 

 

You can turn off the security code verification if needed by going in to site settings: 

Authentication/Registration/TwoFactorEnabled  - If you dont see one you can create it. 

 

Set the value to "false". In portal studio > Do the sync configuration and browse website to make the changes reflected. 

 


Hope it helps. 

------------

If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

 

Thank you, I guess I could let users invite themselves through a link or something then.

 

Is there a way to completely avoid the registering process, so to a new registrant it would simply appear as they are logging in without having to be invited in the first place? I want the steps/clicks involved to be as few as possible.

ragavanrajan
Super User
Super User

Hi @pmarnason

 

    I am little bit confused, Are you trying local registration  or Azure B2C logon. If it is local registration then can you please raise it as a separate topic. May be I am wrong in understanding your full issue, I will handover to our peer community champions to help here.   FYI: @OliverRodrigues  & @OOlashyn 

I do not blame you one bit, as I have been confusing myself a lot too trying to solve this one.

 

In regards to local registration vs Azure B2C logon, I wished to follow best practices and so I believe I have successfully implemented B2C now.

 

The issue lies in how I phrased my original question, I should have asked: Is it possible to have external users register themselves by simply authenticating through Azure B2C using their own credentials.

And as such completely skipping the whole invite process.

 

As an example of the user flow we want to accomplish, I refer to how signing up to reddit.com works. 

Screenshot 2021-01-26 110619.png

When I click "continue with Google" on the sign up prompt, I am sent to Google OAuth and after selecting my account, my user is immediately created on Reddit. We want the same user experience for our end users, except with the external provider allowing them to use their own Azure credentials.

 

Exactly how this is accomplished with local registration or B2C, or something else entirely, really does not matter. 

Hi @pmarnason ,

You can configure your Azure B2C and portal to support registration process without invites etc. In the configuration process of Azure B2C (https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-azure-ad-b2c-provider-m...) at step 6 you should configure Registration Claims mapping  and Login Claims mapping with proper fields(email, firstname and lastname) and toggle Contact mapping with email to make sure that if contact already exists in the system it will map it properly by the email. Keep in mind that in your user flow in Azure B2C you need to configure additional claims (like firstname and lastname from external provider) because be default system only provide email claim. If for some reason you cannot configure Portal part in new UI you can do it with site settings. For that you can check my article about Open ID Connect configuration (https://www.dancingwithcrm.com/claims-mapping-for-openidconnect-for-portal/) - it is applicable for Azure B2C with proper Site Settings name.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

I configured Registration Claims mapping and Login Claims mapping, toggled Contact mapping with email and also followed the instructions from your article.

 

Unfortunately, I am still at a complete loss.

 

First and foremost, users (both from our org and external) still get error AADSTS50020 when trying to register without having been invited beforehand in B2C:

Test user from our organization is unable to register without an invitationTest user from our organization is unable to register without an invitation

 

If I do invite the user in B2C, it still appears as if I set up claims mapping wrong somehow, as you can see in this screenshot:

Screenshot 2021-01-26 212527.png

You might also note the form is asking for a verification code, despite Authentication/Registration/TwoFactorEnabled being set to false.

 

I will try to gather all necessary configurations here:

Spoiler
Screenshot 2021-01-26 213147.png
Screenshot 2021-01-26 213426.png
Screenshot 2021-01-26 213815.png
Screenshot 2021-01-26 213900.png
Screenshot 2021-01-26 213914.png
Screenshot 2021-01-26 214011.png
Screenshot 2021-01-26 214137.png

 

Thank you in advance.

Hi @pmarnason,

Sorry for the long reply. Well everything looks correct. I will try to try to set up similar configuration and see if it will work. Meanwhile maybe you will think about workaround like allowing user to register on portal and automatically create them in your azure via power automate flow (like in this article - https://powerapps.microsoft.com/en-us/blog/on-boarding-user-external-user-to-tenant-through-powerapp...).

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

secondImage

Demo Extravaganza is Back!

We are excited to announce that Demo Extravaganza for 2021 has started!

MBAS on Demand

Microsoft Business Applications Summit sessions

On-demand access to all the great content presented by the product teams and community members! #MSBizAppsSummit #CommunityRocks

Users online (11,948)