question

PatrizioTrinchini-1141 avatar image
0 Votes"
PatrizioTrinchini-1141 asked ·

Share local accounts between two AAD B2C tenants


I followed the documentation about multi-tenant AAD external identy providers and created a test bed with a main tenant with AAD Connect (to provide access to internal users) and two secondary tenants, each with a private AAD B2C (to provide access to external customers).

I registered both the secondary tenants on the main tenant by creating two App registrations, each with its own client certificate, and enabled the custom policy framework on one of the two secondary tenants. With this configuration I'm able to complete the SignUp flow of a new user on one of the AAD B2C (the one without custom policy) but when I try to login with this account on the second AAD B2C, i.e. when I try to login with the custom flow that I have exposed on the login form, I'm redirected to the Microsoft login page and I can only provide my corporate credentials, not the credentials of the customer registered on the first tenant.
Any idea about the reason of this unexpected behavior?

azure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered ·

@PatrizioTrinchini-1141 Yes, you can register AAD B2C tenant as OIDC Identity Provider on another AAD B2C but you will only be able to use standard Azure AD functionality and you will be able to login by using only those accounts which are created by Azure AD > Create User option. You will not be able to login with signed up user.

Below is the allowed OIDC metadata url to add custom OIDC IDP. This endpoint is for standard AAD:
https://login.microsoftonline.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration

Below is the OIDC metadata url for B2C which includes policy name as well and requires for signed-up users. If you specify this endpoint while trying to add custom OIDC IDP,you will get an error that the endpoint is invalid.
https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignupOrSignin

I would suggest you to migrate the users to a single B2C Tenant. You may refer to https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-user-migration?tabs=applications for this purpose.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft Thanks alot for the exhaustive explanation, I will suggest to adopt a single B2C to handle the sign-up flow

0 Votes 0 ·
amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered ·

@PatrizioTrinchini-1141 Adding multi-tenant AAD as identity provider to Azure AD B2C is intended for standard Azure AD tenants and not for B2C tenants. It can work with B2C tenant only if you are creating user accounts in B2C directory, the same way you create in standard Azure AD tenants and not by signing-up for new user account. In short it will work for B2C tenant if the sign-in name is username@yourB2C_tenant.onmicrosoft.com or username@VerifiedDomainInYourB2Ctenant.com.

Cause:
When you click on the button for "Multi-tenant AAD external identity providers" which is created as part of User flow/Custom Policy that you have configured, you get redirected to https://login.microsoftonline.com/common endpoint. The common endpoint is used when it is not known which tenant the request should be forwarded to. The target tenant is
determined on the basis of the domain name supplied as UPN suffix.

Now, if you are using User flow/Custom Policy and creating user account by signing up using email method or Social IDP, the sign-in name can be user@gmail.com or user@your_org.com for example. Which will not help in discovery of the tenant where your user account resides. On the other hand if the sign-in name is username@yourB2C_tenant.onmicrosoft.com or username@VerifiedDomainInYourB2Ctenant.com, tenant can be discovered.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft Thanks for the explanation, now it is much more clear to me how it works behind the scene. I've just another couple of question. Is it possible to register a AAD B2C tenant as OIDC Identity Provider on another AAD B2C ? I'm wondering if this could accomodate my requirement, wghich basically is to provide a smooth login experience to customers of two companies, each with a AAD B2C, that now belong to the same corporation. Another option is to create a single AAD B2C tanant for the corporation and migrate into it theaccounts of the customers that signed-up in the past. Coud this be feasible option? Thanks again for your help

0 Votes 0 ·