Monday, July 04, 2016

Azure B2C : B2C user types

There are a number of ways that you can add a user to Azure Active Directory (AAD) B2C (Business to Consumer).

If you look at the "Users sourced from" column, you'll see:
  • Microsoft Azure Active Directory
  • Microsoft Azure AD (other directory)
  • Microsoft account
"New user in your organization"

Your B2C tenant has a name - something like

So this user would have a name like

However, this type of user would be an admin. They couldn't actually log into B2C as an external user because to do this, they would have to have an email address for the confirmation email during sign-up.

Since B2C users cannot have Office 365 accounts this is not possible.

Basic rule of thumb: If you don't sign-up with B2C, you can't sign-in to an application with B2C.

Another way of looking at this is that there are two use cases:
  • Signing into the B2C tenant - (for admin. purposes)
  • Signing into an application secured by B2C (to access the application)

 We can look at the user's details using Graph Explorer.

(Plus the contents of the claim).

This type of user would have:

"creationType": null

"mailNickname": "user2"
"userPrincipalName": ""

"User with an existing Microsoft account"

This would be for admin. purposes only.

"User in another Microsoft Azure AD directory"

I've found that you need to have rights to the other directory to do this.

"creationType": "Invitation"

"mailNickname": ""

"userPrincipalName": ""

Again this would be an admin. type thing because when you authenticate you are doing this on another tenant, not on B2C.

"User in partner companies"

If you don't have rights, you can use Azure AD B2B. You import a .csv spreadsheet then each user gets an acceptance email with a link they have to click on.

This has the same sort of parameters as "user in another AD directory" but it has an extra section:

"proxyAddresses": [

Again this would be an admin. type thing because when you authenticate you are doing this on another tenant, not on B2C.

It's a bit confusing that you can add other users in this way as they can't actually authenticate as B2C users but I suppose this is for admin. purposes?

All the above are created by using the Azure portal.

A normal B2C user does not use this portal. They sign-up to B2C by using the sign-up link in the application e.g. as per Azure AD B2C preview: Build a .NET web app.

You can sign-up as a local user i.e. your credentials are stored in Azure AD in the B2C tenant or you can sign-up using social in which case some attributes are stored in the tenant but not the credentials.

e.g. local user

creationType": "NameCoexistence"

"mailNickname": "91...61"

"userPrincipalName": ""

e.g. Facebook user

"creationType": null

"otherMails": [
        "Facebook email"
"userPrincipalName": ""

These users can sign-in to an application secured by B2C.

A key point is that the local users have an external email e.g. whereas the admin. users typically have an email like


No comments: