cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
pmarnason
Helper I
Helper I

Is it possible to have external users SSO authenticate using their own AAD credentials?

We want to have clients authenticate using their own AAD credentials, so they don't have to remember yet another password just to use our product.

 

I came across this article which seems to indicate it is indeed possible, while searching on this forum hints at the opposite.

 

So is it possible?

 

EDIT: To make this first post seem less vague, here is some more information:

 

  • This is regarding AAD B2C, since that is recommended over using simply AAD
  • I am using Recommended user flows, since the Standard ones are deprecated in August
  • The B2C tenant as well as the portal environment are completely fresh (created in January)

Finally, I don't HAVE to use B2C nor Recommended user flows. I am only doing so because the documentations keep recommending to do that.

The single only business need we have, is that any user with a Microsoft school or work account should be able to register without entering any credentials, and with as few clicks as possible. So far any user we haven't invited to our B2C tenant beforehand will get an AADSTS50020 error upon using the user flow.

24 REPLIES 24

Thank you for your persistence. I really hope we can solve this one.

 

Also a big thank you for this link, I was well aware of something like this being a good second best choice, but I had yet to find such a 1:1 applicable article to my particular issue.

Hi @pmarnason ,

For now, I didn't have the possibility to try to setup azure b2c myself - really busy times. Meanwhile, I noticed one thing regarding the verification code. That is part of azure b2c functionality and cannot be configured from the powerapps portal side. See this official doc on how to disable it from azure b2c side (https://docs.microsoft.com/en-us/azure/active-directory-b2c/disable-email-verification?pivots=b2c-us...). .Also please check out this official how-to about using multi-tenant azure ad with azure b2c - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

Thank you so much, I successfully disabled email verification. 

 

I also finally managed to get a claim to successfully work, namely the email field. I had to add "email" to the scope field when configuring my identity provider, without having to change anything else.

Screenshot 2021-02-01 184845.png

 

So that raises the question: While email works as intended why are the given_name and family_name claims not being mapped to their Dataverse fields?

 

My config still looks like this:

Screenshot 2021-02-01 185347.png


I still have no idea why I have to invite guests to the B2C tenant before they can register on the portal. Only these two issues remain, but having to invite guests is definitely the worst offender.

Hi @pmarnason,

Which user flow did you choose? I've used the Sign up & sign in (v2) flow multiple times without ever requiring an invitation. If yours is similar, you should be able to run the user flow directly from the B2C directly like so:

justinburch_0-1612209074044.png

It typically shows the "signin" as:

justinburch_1-1612209105080.png

Clicking "Sign up now" would take you to the registration page, no invitation required.

Note that additional providers (Google, Twitter, etc) are additional steps to configure.

 

Edit: Also note for Claims Mapping, unless things have changed it'll be value:

firstname=Given Name,lastname=Surname,....

I am using a sign up and sign in userflow, specifically the Recommended version since the Standard will be deprecated in August.

Screenshot 2021-02-02 112548.png

 

With that being said, I realize the start of the thread is a bit vague but I am not trying to use B2C local accounts, because that means my users have to remember a password. (Yes, I know they could add their Azure accounts as a social media account afterwards, but I don't want local+AD accounts I simply want AD to make it simpler for everyone involved. This also means that I expect a completely new user to simply register by logging in with their external AD account, without having to to invite them through AAD B2C beforehand.

 

Man, you really made my heart jump there for a second. For the first time in many days, you show me something about claims that is unlike everything else I have read in the various documentations and guides. With that being said, it is very clearly not happy with those spaces in the claims configuration and it would not even save with those settings, so I guess it has indeed changed since you last used it.

Screenshot 2021-02-02 113216.png

pmarnason
Helper I
Helper I

When I open my openID configuration through https://login.microsoftonline.com/{tenantID}/v2.0/.well-known/openid-configuration?appid={appID} I get the following JSON:

 

 

{
   "token_endpoint":"https://login.microsoftonline.com/517bbe56-XXXX-XXXX-XXXX-b8d280dceeaf/oauth2/v2.0/token",
   "token_endpoint_auth_methods_supported":[
      "client_secret_post",
      "private_key_jwt",
      "client_secret_basic"
   ],
   "jwks_uri":"https://login.microsoftonline.com/517bbe56-XXXX-XXXX-XXXX-b8d280dceeaf/discovery/v2.0/keys?appid=df5cdf23-XXXX-XXXX-XXXX-de80f6ea82b3",
   "response_modes_supported":[
      "query",
      "fragment",
      "form_post"
   ],
   "subject_types_supported":[
      "pairwise"
   ],
   "id_token_signing_alg_values_supported":[
      "RS256"
   ],
   "response_types_supported":[
      "code",
      "id_token",
      "code id_token",
      "id_token token"
   ],
   "scopes_supported":[
      "openid",
      "profile",
      "email",
      "offline_access"
   ],
   "issuer":"https://login.microsoftonline.com/517bbe56-XXXX-XXXX-XXXX-b8d280dceeaf/v2.0",
   "request_uri_parameter_supported":false,
   "userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo",
   "authorization_endpoint":"https://login.microsoftonline.com/517bbe56-XXXX-XXXX-XXXX-b8d280dceeaf/oauth2/v2.0/authorize",
   "device_authorization_endpoint":"https://login.microsoftonline.com/517bbe56-XXXX-XXXX-XXXX-b8d280dceeaf/oauth2/v2.0/devicecode",
   "http_logout_supported":true,
   "frontchannel_logout_supported":true,
   "end_session_endpoint":"https://login.microsoftonline.com/517bbe56-XXXX-XXXX-XXXX-b8d280dceeaf/oauth2/v2.0/logout",
   "claims_supported":[
      "sub",
      "iss",
      "cloud_instance_name",
      "cloud_instance_host_name",
      "cloud_graph_host_name",
      "msgraph_host",
      "aud",
      "exp",
      "iat",
      "auth_time",
      "acr",
      "nonce",
      "preferred_username",
      "name",
      "tid",
      "ver",
      "at_hash",
      "c_hash",
      "email"
   ],
   "tenant_region_scope":"EU",
   "cloud_instance_name":"microsoftonline.com",
   "cloud_graph_host_name":"graph.windows.net",
   "msgraph_host":"graph.microsoft.com",
   "rbac_url":"https://pas.windows.net"
}

 

 

As you can see here, under claims_supported there is no given_name nor family_name. Email is there, explaining why claims mapping for the email attribute works.

 

Hopefully this can point us in the right direction, I don't really know where to look as of now.

 

EDIT: It is especially weird, since the "name" field needs the profile scope, so profile scope has definitely been activated. 

Ahh, yes, my B2C is a few years old from one of my first POC implementations. My claims show as:

  "claims_supported": [
    "city",
    "given_name",
    "family_name",
    "idp",
    "emails",
    "extension_MiddleName",
    "sub",
    "tfp",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]

To be honest, I haven't worked with the external providers through B2C, so perhaps that's why your claims aren't working as I'd expect. However, looking at the documentation, it should still be working with the way you originally expected. I assume you've used this, then:

Tutorial: Add identity providers to your apps - Azure AD B2C | Microsoft Docs

Unfortunately, this might be more of an Azure B2C need than a Portal need, but I could still be wrong.

Yeah, I have seen/used that tutorial.

 

If you look in your B2C app's manifest, is your "optionalClaims" empty? On mine it is simply null.

 

At this point, I have been around the block quite a few times, there are some inconsistencies with the documentation and the actual implementation, as well as many linked articles that have been removed from docs.microsoft.com. I get the feeling that I have begun tackling this issue in a very unfortunate period where experts are recommending to use the new tools in favor of the ones being deprecated soon (B2C in favor of normal AD, "Recommended" user flows in favor of v1/v2, OAuth 2.0 in favor of 1.0), without these new tools having accurate user documentation ready. 

 

But we are losing sight of the real issue here! To be honest I can live without mapping other claims than email, and although this thread is not directly related to my issue, it seems to hint at it being impossible now, I don't know. It's very technical and my head is mushy after trying to solve this single issue for so many weeks.

 

So the main issue that remains is:

 

How can I configure B2C so that ANYONE is allowed to register through the user flow on my portal.

pmarnason
Helper I
Helper I

I added a comment, but it just was removed out of nowhere. That's weird.

 

I'll wait a bit to see if it shows up again, or else I'll have to try and rewrite it.

No worries, I got the email for the reply. For the thread, here is @pmarnason's missing comment:

Yeah, I have seen/used that tutorial.

If you look in your B2C app's manifest, is your "optionalClaims" empty? On mine it is simply null.

At this point, I have been around the block quite a few times, there are some inconsistencies with the documentation and the actual implementation, as well as many linked articles that have been removed from docs.microsoft.com. I get the feeling that I have begun tackling this issue in a very unfortunate period where experts are recommending to use the new tools in favor of the ones being deprecated soon (B2C in favor of normal AD, "Recommended" user flows in favor of v1/v2, OAuth 2.0 in favor of 1.0), without these new tools having accurate documentation ready. 

But we are losing sight of the real issue here! To be honest I can live without mapping other claims than email, and although this thread is not directly related to my issue, it seems to hint at it being impossible now, I don't know. It's very technical and my head is mushy after trying to solve this single issue for so many weeks. 

So the main issue that remains is:

How can I configure B2C so that ANYONE is allowed to register through the user flow on my portal.

Helpful resources

Announcements
Microsoft 365 Conference – December 6-8, 2022

Microsoft 365 Conference – December 6-8, 2022

Join us in Las Vegas to experience community, incredible learning opportunities, and connections that will help grow skills, know-how, and more.

MPP IDEAS updated 768x460.png

Ideas

Discover ideas and concepts from users like you for how to use Power Pages and take your work to the next level.

Top Solution Authors
Users online (4,663)