Azure AD appending '#EXT#' to UserPrincipalName

Question

When we create a user in Active Directory using Graph API, some characters are appended to the username (#EXT#). This makes impossible to edit the user in AD B2C's interface (documented problem) or doing sign-in using ADAL 2.23 (Active Directory Authentication Library).

Particularly, there's an error (unknown_user_type) when we use AcquireToken(username, password) method. The error is the following:

Why is this happening? Is there any solution or workaround for this problem?.

Regards.

Answer 1

Users that have #EXT# in their UserPrincipalName (UPN, also ambiguously referred to as "username" in several places) are typically users that have been sourced from other identity providers. This includes:

1. Regular directories: Users added with their Microsoft Account (MSA)
2. Regular directories: Users from other directories in Azure AD
3. B2C directories: Almost all B2C users have this

Regular directories

If your application is aware of the Azure AD directory the user are trying to sign in to, and you are using the tenant-specific endpoint https://login.microsoftonline.com/<domain or ID>, instead of the tenant-agnostic endpoint https://login.microsoftonline.com/common, users in case (1) and (2) should be able to sign in with an application using ADAL. When signing in, they would use their regular usernames from MSA or their "home" directory.

Example: User [email protected], from directory contoso, is added as an external user in directory fabrikam. This results as a user in fabrikam with UPN bob_contoso.com#EXT#@fabrikam.onmicrosoft.com, but you don't have to worry about that. When they sign in to an application that trusts https:/login.microsoftonline.com/fabrikam.onmicrosoft.com, they simply sign in as [email protected] and use their normal password from contoso.

B2C directories

Azure AD B2C-aware applications always work with a tenant-specific endpoint, but it's using the newer "v2" OAuth 2.0 endpoints:

• https://login.microsoftonline.com/<domain or ID>/oauth2/v2.0/authorize
• https://login.microsoftonline.com/<domain or ID>/oauth2/v2.0/token

Again--users will always sign in using their home identity provider.

IMPORTANT: Remember that Azure AD B2C is currently in Preview (as of March 2106).

TL;DR:

You should not actually have any scenario where you would want to change users' UserPrincipalName if it contains #EXT#, because this means this isn't actually the username they would type when signing in.