Azure AD as an OpenID Connect Provider for an Azure ADB2C

Question

I have an Azure AD named FOO where I have a bunch of users. I created an Azure ADB2C as a Resource inside the FOO directory, named BAR, in which I want to signUp/signIn users. However, if you are already a user in FOO I want you to be able to connect via an Identity Provider.

Is this possible? I did not manage to make this work. I'm currently following these docs:

1 This seems like it works for FOO AD for FOO ADB2C.

2 This seems like it would fit my scenario.

3 This seems like it would work for FOO ADB2C to BAR ADB2C.

Even tho the second docs fit my scenario, I see that it's mandatory to use custom policies, which I'm not a fan of. Is there any workaround? Has anybody faced this scenario before?

Answer 1

You can also add custom OIDC identity provider

1. In your FOO directory register new App that will represent AAD B2C, and generate client secret (don't forget to save it somewhere) - this and application Id needs to be added in next step
2. Add new Identity provider in BAR tenant as OIDC (Identity providers on LHS)
3. In metadata field paste https://login.microsoftonline.com/FOO.onmicrosoft.com/v2.0/.well-known/openid-configuration
4. Set FOO for domain hint, oid for user id, name for display name, given_name for given name, family_name for surname and unique_name for Email (that is in my case) After that you should be able to choose your FOO tenant as additional button in your user flow, just like Google, Facebook or whatever you have there

The other option is to use custom policies.

Answer 2

Since you are using a signin flow, Azure AD B2C is expecting the user object to exist in the B2C directory.

You'll have to either:

1. Use a signin/signup flow that makes B2C create the user if it does not already exist
2. Use a custom policy that allows local users to sign in + creates users objects for your AAD users if they don't exist yet