Share local accounts between two AAD B2C tenants

Patrizio Trinchini 21 Reputation points
2020-01-24T10:50:36.527+00:00

I followed the documentation about multi-tenant AAD external identy providers and created a test bed with a main tenant with AAD Connect (to provide access to internal users) and two secondary tenants, each with a private AAD B2C (to provide access to external customers).

I registered both the secondary tenants on the main tenant by creating two App registrations, each with its own client certificate, and enabled the custom policy framework on one of the two secondary tenants. With this configuration I'm able to complete the SignUp flow of a new user on one of the AAD B2C (the one without custom policy) but when I try to login with this account on the second AAD B2C, i.e. when I try to login with the custom flow that I have exposed on the login form, I'm redirected to the Microsoft login page and I can only provide my corporate credentials, not the credentials of the customer registered on the first tenant.
Any idea about the reason of this unexpected behavior?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,966 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,701 Reputation points
    2020-01-28T04:48:02.727+00:00

    @Patrizio Trinchini Yes, you can register AAD B2C tenant as OIDC Identity Provider on another AAD B2C but you will only be able to use standard Azure AD functionality and you will be able to login by using only those accounts which are created by Azure AD > Create User option. You will not be able to login with signed up user.

    Below is the allowed OIDC metadata url to add custom OIDC IDP. This endpoint is for standard AAD:
    https://login.microsoftonline.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration

    Below is the OIDC metadata url for B2C which includes policy name as well and requires for signed-up users. If you specify this endpoint while trying to add custom OIDC IDP,you will get an error that the endpoint is invalid.
    https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignupOrSignin

    I would suggest you to migrate the users to a single B2C Tenant. You may refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-user-migration?tabs=applications for this purpose.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,701 Reputation points
    2020-01-27T03:48:30.48+00:00

    @Patrizio Trinchini Adding multi-tenant AAD as identity provider to Azure AD B2C is intended for standard Azure AD tenants and not for B2C tenants. It can work with B2C tenant only if you are creating user accounts in B2C directory, the same way you create in standard Azure AD tenants and not by signing-up for new user account. In short it will work for B2C tenant if the sign-in name is username@yourB2C_tenant.onmicrosoft.com or username@VerifiedDomainInYourB2Ctenant.com.

    Cause:
    When you click on the button for "Multi-tenant AAD external identity providers" which is created as part of User flow/Custom Policy that you have configured, you get redirected to https://login.microsoftonline.com/common endpoint. The common endpoint is used when it is not known which tenant the request should be forwarded to. The target tenant is
    determined on the basis of the domain name supplied as UPN suffix.

    Now, if you are using User flow/Custom Policy and creating user account by signing up using email method or Social IDP, the sign-in name can be user@gmail.com or user@your_org.com for example. Which will not help in discovery of the tenant where your user account resides. On the other hand if the sign-in name is username@yourB2C_tenant.onmicrosoft.com or username@VerifiedDomainInYourB2Ctenant.com, tenant can be discovered.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.