Why Azure AD B2C creates user for Gmail users or other openid connect users?

Question

I am using Azure B2C to connect my own openid connect server using OpenID onnect (Preview) provider. I configured every thing, system is working fine.

But one thing is when a new user logs in through my own openid connect server, Azure AD B2C creates this user in Azure AD which is connected to Azure B2C.

My intention is that, My client application has to call Azure B2C. Azure B2C should display list of identity providers. one among those providers is my own openid connect server. Then user can input his credential in my own openid connect server and verified and return back to Azure B2C with id_token. after this step Azure AD B2C is asking me to create this user in Azure AD. why this is happening ?

I cannot provide my user details to any intermediate systems. Please help me on this.

The same scenario is happening for gmail users also. but only first time login or when we change some signin policy attributes.

Answer 1

Based on my experience, even for externally authenticated users (social sign-in) AAD B2C always creates an object in its local store (which is actually an Azure AD directory). I can't speak authoritatively, but a couple of reasons for this would be 1) the ability to generate and maintain an immutable ID for a user that is somewhat independent of the social IdP, and 2) the ability to collect and store additional attributes which are not available from the social IdP.

I believe you can make the process invisible to your users - they don't necessarily have to be prompted to enter additional attributes or to create a user - but it will still happen in the background.