How to create users from another Tenant to B2C

Kevin Dule 65 Reputation points
2024-08-29T13:14:56.9533333+00:00

Hello,

I am currently working on implementing B2C login in my project. I have set up a user flow for signing in and added an Identity Provider using OpenID Connect, along with another option for local account login through B2C.

I have successfully created the necessary application in my tenant and configured it within the OpenID Connect provider. Additionally, I have created users in the B2C tenant who are part of the first tenant as ExternalAzureAD users. However, when I attempt to log in from the first tenant, I encounter the following error: "AADB2C99002: User does not exist. Please sign up before you can sign in."

I have assigned the user to both the first tenant and the B2C tenant for each application accordingly.

Could you please advise on how to resolve this issue?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,068 questions
Accepted answer
  1. Akhilesh Vallamkonda 10,150 Reputation points Microsoft Vendor
    2024-09-04T18:29:17.83+00:00

    Hi @Kevin Dule

    Thank you for reaching us!

    If understand correctly that you are trying to authenticate users from Entra ID tenant in Azure AD B2C tenant.
    Let me explain your scenario, you have set up Azure AD B2C in company B's tenant to authenticate users from company A's Entra ID. The error "AADB2C99002: User does not exist. Please sign up before you can sign in" occurs when the user is not found in the Azure AD B2C directory.

    To resolve this issue, you need to configure Azure AD B2C to use company A's Entra ID as an identity provider. This way, users from company A can authenticate using their Entra ID credentials, and Azure AD B2C will not look for them in company B's directory. Here are the steps to configure Entra ID as an identity provider in Azure AD B2C:

    • Register an application in company A's Entra ID tenant.

    Record the Application (client) ID and create a client secret for the registered application.

    In company B's Azure AD B2C tenant, create a policy key to store the client secret.

    • Configure Azure AD B2C to use company A's Entra ID as an identity provider by adding it to the ClaimsProvider element in the extension file of your policy. After configuring Azure AD as an identity provider, you should be able to authenticate users from company A in the Web App deployed in Azure from company B using Azure AD B2C.

    If the issue persisted pleas do refer the below threads which is similar to your issue.
    https://video2.skills-academy.com/en-us/answers/questions/891744/azure-ad-b2c-sign-in-workflow-with-google-as-an-id
    https://video2.skills-academy.com/en-us/answers/questions/255659/how-can-i-invite-guest-users-to-azure-b2c-platform
    https://video2.skills-academy.com/en-us/answers/questions/1339286/how-to-add-a-federated-user-that-can-be-authentica

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 10,150 Reputation points Microsoft Vendor
    2024-09-04T18:59:25.1866667+00:00

    Hi @Kevin Dule

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    when you attempt to log in from the first tenant, you encounter the following error: "AADB2C99002: User does not exist. Please sign up before you can sign in."

    Solution:

    To fix this issue you have prepared a script using Microsoft Graph. Users from Tenant A should be created also in Tenant B2C. So, you have defined these identities for these users

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  2. Kevin Dule 65 Reputation points
    2024-09-09T20:00:55.3033333+00:00

    Hello,

    I am attaching Powershell Script for creating users from another Tenant. This script will solve the error "AADB2C99002: User does not exist. Please sign up before you can sign in."

    $Tenant1ID = "your-tenant-id"
$B2CTenantID = "your-b2c-tenant-id"
$listOfUsers = @("user1@example.com")

Write-host "Connecting to Tenant 1: " -ForegroundColor Yellow -NoNewline
Connect-MgGraph -TenantId $Tenant1ID -Scopes user.read.all -NoWelcome -ErrorAction SilentlyContinue

if((Get-MgContext).TenantId -eq $Tenant1ID) {
    Write-host "Done.`r`n" -ForegroundColor Green
    $users = @()
    Write-host "Retrieving users from Tenant 1:" -ForegroundColor Yellow
    foreach($user in $listOfUsers) {
        $tenantUser = Get-MgUser -UserId $user -Property id,displayname,surname,givenname,mail -ErrorAction SilentlyContinue
        if($tenantUser) {
            Write-Host "`tUser retrieved: $user" -ForegroundColor Green
            $users += @($tenantUser)
        }
        else {
            Write-Host "`tUser not found: $user" -ForegroundColor Red
        }
    }
    
    Write-host "`r`n`r`nConnecting to B2C tenant: " -ForegroundColor Yellow -NoNewline
    Connect-MgGraph -TenantId $B2CTenantID -Scopes user.readwrite.all -NoWelcome -ErrorAction SilentlyContinue

    if((Get-MgContext).TenantId -eq $B2CTenantID) {
        Write-host "Done.`r`n" -ForegroundColor Green
        Write-host "Provisioning users:" -ForegroundColor Yellow
        
        foreach($user in $users) {
            Write-Host "`tWorking on $($user.displayName)[$($user.id)]: " -ForegroundColor Yellow -NoNewline
            $params = @{
                displayName = $user.displayName
                identities = @(
                    @{
                        signInType = "userPrincipalName"
                        issuer = "your-b2c-domain.onmicrosoft.com"
                        issuerAssignedId = "cpim_$($user.id)@your-b2c-domain.onmicrosoft.com"
                    }
                    @{
                        signInType = "federated"
                        issuer = "https://login.microsoftonline.com/$($Tenant1ID)/v2.0"
                        issuerAssignedId = $user.id
                    }
                )
                passwordProfile = @{
                    forceChangePasswordNextSignIn = $false
                }
                passwordPolicies = "DisablePasswordExpiration"
                AccountEnabled = $false
            }

            if($user.GivenName) {
                $params.Add("GivenName", $user.GivenName)
            }
            if($user.Surname) {
                $params.Add("Surname", $user.Surname)
            }
            
            $newUser = New-MgUser -BodyParameter $params
            if($newUser) {
                Write-host "Done." -ForegroundColor Green
            }
            else {
                Write-host "Failed." -ForegroundColor Red
            }
        }
    }
    else {
        Write-Host "Unable to connect to B2C tenant." -ForegroundColor Red
    }
}
else {
    Write-Host "Unable to connect to Tenant 1." -ForegroundColor Red
}

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.