Reputation: 1018
Azure AD B2C AADB2C99002 error - but I do exist
I am building a multi-tenant SAAS app back by Azure AD B2C and using groups as my tenants. I am now building an admin app to manage the tenants and the only people that should be able to use it are the users in my company AD instance. I have created a sign in user flow with my Azure AD as the only Identity Provider and have registered the apps. The user flow works except I get a AADB2C99002 error returned saying I don't exist in the B2C instance. The problem is that I do exist in the B2C instance because I created it and I am the Global Admin for it. I know from the docs it says that you need to sign up first before you can sign in with an external identity provider but like I said I do have an account already and it is linked to my company AD instance.
Can anyone shed some light on why the B2C instance thinks I don't exist?
Right now I am mulling over my options if I can't find out what the issue is. As I see it there are 2 but not sure either will work.
1) create a combined sign up / sign in policy and delete it after I sign up. Not sure if it will create a duplicate user.
2) create a custom sign in policy - not sure if this would fix the problem.
Upvotes: 1
Views: 2833
Answers (2)
Reputation: 14654
If you're aiming to allow a work account (e.g. a local user that is assigned to the global administrator role) or a guest account (e.g. an external user that is assigned to the global administrator role), then you can configure your administration application with Azure AD (not Azure AD B2C) authentication.
To allow for this, you must register your administration application through the Azure AD blade (not the Azure AD B2C blade) in your Azure AD B2C tenant.
Confusing? Yes :), but it does work, if this is what you're needing to do.
Upvotes: 0
Reputation: 58773
Ah, this is actually a bit confusing for people I think. The user you have there now is not a B2C user, so it doesn't find it.
It sounds like you'll need a sign up policy, or a custom sign in policy that creates the user if it doesn't exist.
You should be able to create the users ahead of time with a script: https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#CreateLocalAccountUser.
Beginning with version 1.6, Graph API supports creating local and social account users for Azure Active Directory B2C tenants. Unlike users associated with a work or school account, which require sign-in with an email address that contains one of the tenant's verified domains, local account users support signing in with app-specific credentials; for example, with a 3rd-party email address or an app-specific user name. Social account users sign-in using popular social identity providers such as Facebook, Google, LinkedIn or Microsoft Account.
If you are not sure what values to put there, you can make a quick sign up policy, sign up with your user, and observe the data in AAD Graph API.
Upvotes: 1
Related Questions
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- AADB2C90068: The provided application with ID is not valid against this service. Please use an application created via the B2C portal and try again
- Azure AD B2C, unauthorized_client Error
- Azure Active Directory B2C AADB2C90051: No suitable claims providers were found
- azure b2c - an exception has occurred
- AzureB2C Identity Provider Login Failed : AADB2C99002: User does not exist
- AADB2C90077: User does not have an existing session and request prompt parameter has a value of 'None'
- Azure AD B2C - Error AADB2C90018 immediately after the app registration was created
- AADB2C90083: The request is missing required parameter: grant_type
- Azure AD B2C : An account could not be found for the provided user ID