User token from Azure B2C Tenant

Question

I have to migrate users from an Azure Active Directory B2C Tenant (oldtenant) to another (newtenant) using Seamless migration

In the oldtenant I have some "users" (with @oldtenant.onmicrosoft.com) and some "Azure AD B2C users" (with @otherdomain.com).

The "Users" are created with button

The "Azure AD B2C users" are created with button

I have to retrieve the user access token to check the user's credential to create the user in the newtenant. I used the source code provided here to create an API that uses user's credential to retrieve the user token. I Also create in the oldtenant an app registration to allow the API to access user's info.

When I try to retrieve user token for @oldtenant.onmicrosoft.com it works, but when I try to retrieve the token for an user @otherdomain.com, I obtain the following error:

error_description: "AADSTS50034: The user account {EmailHidden} does not exist in the oldtenant.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.Trace ID: 74d2a027-7011-4ee5-b62e-d022dd861d06.Correlation ID: 07427a5b-494a-44e7-947d-40eb5a4aee66.Timestamp: 2021-05-07 10:22:58Z"

It should work but, I used the code provided by the documentation. I don't understand why it doesn't work.

score 1 · Accepted Answer · answered May 10 '21 at 06:08

When you create a consumer account (B2C account) by using "Create Azure AD B2C user" button, the real user principle name should be like this: {objectID}@oldtenant.onmicrosoft.com although you can sign into B2C with such a mail format xxx@otherdomain.com.

The data in the background is actually in this format:

{
    "id": "d5342d11-67e0-46ed-865b-20e3138ecf1f",
    "creationType": "LocalAccount",
    "userPrincipalName": "eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com",
    "identities": [
        {
            "signInType": "emailAddress",
            "issuer": "allentest001.onmicrosoft.com",
            "issuerAssignedId": "allen3@jmaster.onmicrosoft.com"
        },
        {
            "signInType": "userPrincipalName",
            "issuer": "allentest001.onmicrosoft.com",
            "issuerAssignedId": "eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com"
        }
    ]
}

In this example, I can sign into B2C with allen3@jmaster.onmicrosoft.com, but when I need to get the user access token, I need to use eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com.

B2C authentication is different from AAD authentication. And to call Microsoft Graph, we need to use AAD authentication (B2C authentication is not supported to call Microsoft Graph).

In this case, eb37ce98-8461-4f9b-ab57-e6ebb3b791c6@allentest001.onmicrosoft.com is the UPN you need to use to get user token and call Microsoft Graph.

So you should list your B2C consumer users to find their userPrincipalNames first so that you could take next actions.

You can list B2C consumer users in Microsoft Graph explorer easily.

Yes I was looking for the "identities" field to get the UPN.I add the code for Microsoft Graph SDK query. `string fs = string.Format("userPrincipalName eq '{0}'", username); var su = await client.Users.Request().Filter(fs).Select("identities,userPrincipalName").GetAsync();` `if (su.Count() == 0) { fs = string.Format("identities/any(id:id/issuer eq '{0}' and id/issuerAssignedId eq '{1}')", tenant, username); su = await client.Users.Request().Filter(fs).Select("identities,userPrincipalName").GetAsync(); }` `if (su.Count() != 0) { userUpn = su.FirstOrDefault().UserPrincipalName; }` — C. Fabiani, May 10 '21 at 10:10

User token from Azure B2C Tenant

1 Answers1