Does Resource Owner Password Credentials Flow Work with Accounts from External Identity Providers

Question

Following the directions here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc

I'm able to get the ROPC user flow working and testing it from the Azure Portal nets the desired response from the openid-configuration url.

When moving to the token endpoint and posting a username and password of an existing account I keep getting the following response.

{"error":"access_denied","error_description":"AADB2C90225: The username or password provided in the request are invalid.\r\nCorrelation ID: a3f930ac-b077-441c-aeec-c15d9319989a\r\nTimestamp: 2019-03-13 03:32:38Z\r\n"}

The account is found in the directory but in this case is a Microsoft Account.

Assuming the username and password are right, it's a well known account and the credentials have been verified, is it that accounts from external identity providers are just not supported?

Answer 1

The resource owner password credentials flow validates the user credentials that are managed by Azure AD B2C, i.e. credentials for the local account users, not those that are managed by an external identity provider that is registered with Azure AD B2C.

(For information about how the built-in flow is implemented, refer to the https://learn.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom article, which describes how it is implemented using a custom policy.)