16

I am trying to add a user with the email ...@gmail.com to my B2C directory via the Graph API (C#). I get this as a response:

The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.

This system needs to allow for users of any email domain to sign in. The users need to log in to a website, not have access to the Azure Portal.

Is there a way to accomplish this without manually adding every domain?

Code for adding user via Graph API:

var confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithTenantId(tenantId)
    .WithClientSecret(clientSecret)
    .Build();

var authProvider = new ClientCredentialProvider(confidentialClientApplication);
            
var graphClient = new GraphServiceClient(authProvider);

var user = new User
{
    AccountEnabled = true, 
    DisplayName = emailAddress,
    MailNickname = emailAddress.Split('@').FirstOrDefault(),
    UserPrincipalName = emailAddress,
    PasswordProfile = new PasswordProfile
    {
        ForceChangePasswordNextSignIn = true,
        Password = tempPassword
    }
};
Branden Barber
  • 1,717
  • 1
  • 17
  • 15
rgahan
  • 667
  • 8
  • 17

2 Answers2

18

If you're trying to create local B2C (not AAD) accounts try setting the identities property in your request but not the upn. This last should be auto-generated. Also password expirations must be disabled, and force change password at next sign-in must also be disabled.

AlfredoRevilla-MSFT
  • 3,171
  • 1
  • 12
  • 18
  • 7
    Works after removing MailNickname and UPN and replacing with: `Identities = new List { new ObjectIdentity { SignInType = "emailAddress", Issuer = domainName, IssuerAssignedId = emailAddress} },` – rgahan Nov 17 '20 at 15:11
9

I had to add following packages:

<PackageReference Include="Microsoft.Graph" Version="4.0.0-preview.7" />
<PackageReference Include="Microsoft.Graph.Auth" Version="1.0.0-preview.7" />

Then:

       var confidentialClientApplication = ConfidentialClientApplicationBuilder
            .Create(Settings.ClientId)
            .WithTenantId(Settings.Tenant)
            .WithClientSecret(Settings.ClientSecret)
            .Build();
        
        var authProvider = new ClientCredentialProvider(confidentialClientApplication);

        var graphClient = new GraphServiceClient(authProvider);

        var user = new User
        {
            AccountEnabled = true,
            GivenName = "Name",
            Surname = "Surname",
            DisplayName = "Name Surname",
            PasswordProfile = new PasswordProfile
            {
                ForceChangePasswordNextSignIn = false,
                Password = "pass.123",
            },
            PasswordPolicies = "DisablePasswordExpiration",
            Identities = new List<ObjectIdentity>
            {
                new ObjectIdentity()
                {
                    SignInType = "emailAddress",
                    Issuer = Settings.Tenant,
                    IssuerAssignedId = "sample@sample.com"
                }
            }
        };

        await graphClient.Users.Request().AddAsync(user);

Make sure to add permission to create users in Azure portal.

0lukasz0
  • 3,155
  • 1
  • 24
  • 40
  • 4
    Notice that `Settings.Tenant` should be your AAD B2C full tenant name (xxx.onmicrosoft.com). – Wojteq Dec 15 '21 at 14:42