CODEWITHSUNDEEP
microsoft-graph-apiazure-ad-b2copenid-connect
ΩmegaMan
ΩmegaMan

Reputation: 31656

Create a New User For Federated Account in B2C

I am failing to add an OpenId account to B2C using Microsoft Graph. What needs to be done to do an add operation?

B2C Setup as TestB2C

In Azure B2C the OpenID Connect (to my companies Azure AD) is setup as an Identity Provider.

Azure B2C with target AD as a OpenID Connect

For this example, take the blurred out B2C above to be TestB2C.onmicorosoft.com and the target openID is "Corporate AD".

Graph Call To Insert User into B2C

{
  "accountEnabled": true,
  "displayName": "OmegaMan",
  "mailNickname": "OmegaM",
 "identities": [
    {
      "signInType": "userName",
      "issuer": "TestB2C.onmicrosoft.com",
      "issuerAssignedId": "[email protected]"
    },
    {
      "signInType": "emailAddress",
      "issuer": "TestB2C.onmicrosoft.com",
      "issuerAssignedId": "[email protected]"
    },
    {
      "signInType": "federated",
      "issuer": "Corporate.com",
      "issuerAssignedId": "6ab...34"
    }
  ],
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": false
  }  
}

The issuerAssignedId is from the settings placed in the Identity Providers section for the OpenId Connect. When I attempt to insert said user, I get this current error:

   ...
   "error": {
        "code": "Request_BadRequest",
        "message": "A password must be specified to create a new user.",
    ...

Which for a federated user does not make sense. Note, that in a different add operation for an "email user", this process works; with different settings. What is missing to then add a federated user?

Upvotes: 1

Views: 437

Answers (2)

ΩmegaMan
ΩmegaMan

Reputation: 31656

I was able to circumvent the user "Sign-Up" after user insertion. The issue turned out to be, that to have proper federation occur, the proper values need to be in place.

 "identities": [     
    {
      "signInType": "federated",
      "issuer": "https://login.microsoftonline.com/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/v2.0",
      "issuerAssignedId": "YYYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"

What was happening was that I was using "issuer": "myDomain.com" which was not resolving correctly to do a login; to which the user then had to "SignUp" via the federated IP and ended up with two logins.

By changing issuer from a DNS readable name, to the Microsoft login url with my AD directories' ID (the number provided when switching domain in Azure, XXXX-XXX ... btw) and also a proper issuerAssignedId, found from the originating AD issuer, it worked and the user was added.

Upvotes: 0

rbrayb
rbrayb

Reputation: 46720

For a federated user, "accountEnabled" is false.

Upvotes: 1

Related Questions