Azure B2C multi tenant "google" users creation and tenantId claim

Question

Currently our team is struggling with propper architecture of Azure B2C solution for our multi tenant app.

Here is what we want to achieve. We want to enable users from certain Azure AD to authenticate. This is nicely described here with restricting tenants we want to enable.

We just want to enrich this solution with google authentication. We do not want to enable all users to be able to sign up. Is there a possibility to create google federated user programatically? We basically recieve list of emails from customer company and we create accounts in tenant). As far as I know there is no possiblity to achieve this using ms graph API when I don't have issuerUserId of user.

Do we have any possible solutions for this type of scenario? Like invitation email or so? Or maybe B2C is not a propper solution in this case.

Thanks in advance

Answer 1

A solution would be create the allowed users in b2c as a local account in graph api with accountEnabled as false and some generated password. Since the accountEnabled is false, user will not be able to sign in or reset the password as the default set of custom policies verify that attribute.

In the federated flow in custom policy,

1. Let the user complete federation.
2. Read the account using email address received.
3. If a local account exists, then link the federated account (Write alternateSecurityId to the account using objectId).
4. If a matching local account cannot be found, block the user by showing a selfAsserted page saying you are not allowed to sign up/in to this application.
5. You could also have some custom boolean extension attribute set to the local account to have an extra validation and update it's value once user completes the signup.