Reputation: 1856
How to add multi domain user emails to Azure AD
We have three differnt websites and we want to use Azure AD for the purpose of single sign on. My question is how do I add users to Azure AD (via API) who could have differnt emails such as [email protected], [email protected], [email protected], etc
When I try to add users with these emails to Azure via API, I get the error:
Property userPrincipalName is invalid.
If however I add users with azure tenant name (like [email protected]), they are added fine.
I searched in forums and google but to no avail.
So is there any way to add users having gmail/yahoo/outlook/other email addresses to Azure AD using API ?
Thanks
Upvotes: 5
Views: 4593
Answers (3)
Reputation: 23444
There are two options here:
- B2B Azure AD Tenant - where You add those users as guests. Your guests can be External AAD accounts, MSA Accounts, and you can setup federation for Google easily, and others. You can also enable "passcode" authentication to allow any email to be used without signup. They are emailed a one-time passcode that works for 30 days.
- B2C Azure AD Tenant - This is where you are creating an authentication for a public site and want folks to use any email. It is presetup with lots of federation for you to configure.
From https://learn.microsoft.com/en-us/azure/active-directory/external-identities/compare-with-b2c as of 2021/04/20
What are External Identities in Azure Active Directory?
With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. Your partners, distributors, suppliers, vendors, and other guest users can "bring their own identities." Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The external user’s identity provider manages their identity, and you manage access to your apps with Azure AD to keep your resources protected.
External Identities scenarios
Azure AD External Identities focuses less on a user's relationship to your organization and more on how the user wants to sign in to your apps and resources. Within this framework, Azure AD supports a variety of scenarios from business-to-business (B2B) collaboration to access management for consumer/customer- or citizen-facing applications (business-to-customer, or B2C).
Share your apps and resources with external users (B2B collaboration). Invite external users into your own tenant as "guest" users that you can assign permissions to (for authorization) while letting them use their existing credentials (for authentication). Users sign in to the shared resources using a simple invitation and redemption process with their work, school, or other email account. You can also use Azure AD entitlement management to configure policies that manage access for external users. And now with the availability of self-service sign-up user flows, you can allow external users to sign up for applications themselves. The experience can be customized to allow sign-up with a work, school, or social identity (like Google or Facebook). You can also collect information about the user during the sign-up process. For more information, see the Azure AD B2B documentation.
Build user journeys with a white-label identity management solution for consumer- and customer-facing apps (Azure AD B2C). If you're a business or developer creating customer-facing apps, you can scale to millions of consumers, customers, or citizens by using Azure AD B2C. Developers can use Azure AD as the full-featured Customer Identity and Access Management (CIAM) system for their applications. Customers can sign in with an identity they already have established (like Facebook or Gmail). With Azure AD B2C, you can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. For more information, see the Azure AD B2C documentation.
Compare External Identities solutions
The following table gives a detailed comparison of the scenarios you can enable with Azure AD External Identities.
| External user collaboration (B2B) | Access to consumer/customer-facing apps (B2C) | |
|---|---|---|
| Primary scenario | Collaboration using Microsoft applications (Microsoft 365, Teams, etc.) or your own applications (SaaS apps, custom-developed apps, etc.). | Identity and access management for modern SaaS or custom-developed applications (not first-party Microsoft apps). |
| Intended for | Collaborating with business partners from external organizations like suppliers, partners, vendors. Users appear as guest users in your directory. These users may or may not have managed IT. | Customers of your product. These users are managed in a separate Azure AD directory. |
| Identity providers supported | External users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers, Gmail, and Facebook. | Consumer users with local application accounts (any email address or user name), various supported social identities, and users with corporate and government-issued identities via direct federation. |
| External user management | External users are managed in the same directory as employees, but are typically annotated as guest users. Guest users can be managed the same way as employees, added to the same groups, and so on. | External users are managed in the Azure AD B2C directory. They're managed separately from the organization's employee and partner directory (if any). |
| Single sign-on (SSO) | SSO to all Azure AD-connected apps is supported. For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday. | SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported. |
| Security policy and compliance | Managed by the host/inviting organization (for example, with Conditional Access policies). | Managed by the organization via Conditional Access and Identity Protection. |
| Branding | Host/inviting organization's brand is used. | Fully customizable branding per application or organization. |
| Billing model | External Identities pricing based on monthly active users (MAU). (See also: B2B setup details) |
External Identities pricing based on monthly active users (MAU). (See also: B2C setup details) |
| More information | Blog post, Documentation | Product page, Documentation |
Secure and manage customers and partners beyond your organizational boundaries with Azure AD External Identities.
About multitenant applications
If you're providing an app as a service and you don't want to manage your customers' user accounts, a multitenant app is likely the right choice for you. When you develop applications intended for other Azure AD tenants, you can target users from a single organization (single tenant), or users from any organization that already has an Azure AD tenant (multitenant applications). App registrations in Azure AD are single tenant by default, but you can make your registration multitenant. This multitenant application is registered once by yourself in your own Azure AD. But then any Azure AD user from any organization can use the application without additional work on your part. For more information, see Manage identity in multitenant applications, How-to Guide.
Upvotes: 0
Reputation: 164
AAD supports consumer owned accounts through guest flows with MSA. So, your users can create an MSA for their @yahoo or @gmail account (the @outlook account is already an MSA). Then, you can invite the user to be a guest in your tenant using the Azure portal (just as you would invite an AAD user from another tenant to be a guest). See: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users/.
Upvotes: 0
Reputation: 3744
Short answer: you can't. Azure AD will support only users whose domain name is your own onmicrosoft.com domain, or that have an email address for a custom domain for which you have the rights to represent. If you expect people to signup with @yahoo or @gmail, etc addresses, Azure AD is not the directory you are looking for.
Upvotes: 3
Related Questions
- How to add multiple custom domain to Azure Storage Account hosting static website?
- How to retrieve Azure AD users with an alternate email address?
- How can I link multiple email address to one user in Azure DevOps?
- Directory Sync AD Connect multiple Domains
- Adding MS Outlook email box to the AAD Users after migration domain to Azure
- How to configure email address for a user in Microsoft Azure AD?
- Azure AD B2C - Is there a way to configure single email address instead of multiple email address
- Add the same domain user account to two Azure AD Domains
- Azure, login to separate accounts with one email
- Windows Azure and multiple storage accounts