question

DonPoulson-5048 avatar image
0 Votes"
DonPoulson-5048 asked ·

Azure AD B2C authentication for consumer accounts shared between multiple sites using the same B2C domain

I am developing a new site using the same Azure AD B2C for consumer account authentication as an existing site. Authentication currently is working on both sites. However, when registering/signing up a new consumer account (testing using a gmail address). I cannot use the consumer on the other site without also registering it on that site first.

The expected result is that this would be a single-sign-on and the same account should work for both sites using the same Azure AD B2C. I did not develop the original site so I can only go off of what I've been told by the client's IT team. I am told that the site is authenticating using consumer accounts (specifically that means AzureAD: { TentantId = consumers" } in the appsettings.json B2C settings.

I can verify that the original site is using 'https://login.microsoftonline.com/' and it redirects to 'https://signup.live.com/' to create a new user. The creation and password reset functionality seems the same between both sites. Therefore I do believe the original site is using Microsoft for their authentication and not some custom code that stores the users in their database.

However, as a test, I create a free Azure AD B2C account. I then updated the website that I am developing to target the new domain, tenant, clientID, client secret, etc. and I was able to login using the consumer gmail account that I had already signed up as a Microsoft account from the same website when it was targetting my client's Azure AD B2C. That is how I expected the original site to work with the new site being developed.

Furthermore, the original website had extended user profile properties for its users. Those properties do not seem to be available to me using Microsoft Graph (documentation for what I am doing with Microsoft Graph and extended profiles can be found here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api).

Is my understanding of the shared consumer accounts incorrect? Shouldn't these accounts be a single-sign-on that works with either website?

Does anyone else suspect that the original website is not treating these accounts as consumer accounts but perhaps B2C accounts?

The second question, when logged into the Azure AD B2C portal. Adding a User as an Azure B2C user (third option) is the same as registering/signing up a new user using the website when the website AzureAD settings are set to TentantId = consumers, right?

azure-ad-b2cmicrosoft-graph-sdkazure-managed-applications
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I should add, even though I am testing using a gmail consumer account. We are not using Google as an Identity Provider. The new consumer account is registered as a Microsoft account and then it just works on the website.

31755-image.png


0 Votes 0 ·
image.png (977.9 KiB)
alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered ·

You're using Azure AD, not B2C authentication flow which is based on user flows or custom policies. Login authority should not be 'https://login.microsoftonline.com but https://b2clogin.com.. Also, there is no consumer tenant in Azure. Please take a look to An ASP.NET Core Web app signing-in users with the Microsoft identity platform in Azure AD B2C for more information.


Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.




·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonPoulson-5048 avatar image
0 Votes"
DonPoulson-5048 answered ·

Thanks, Alfredo. Your response got me on the right track and I resolved the issue today. It was just as you said, I was using Azure AD instead of B2C.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.