Multi-tenant Azure AD in Azure AD B2C

Question

I was following the answer here: Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies

And the walkthrough here: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/0129fc013ae5e66a3ee0046a5d0db2e8120d8f8e/Walkthroughs/IdP-AzureAD.md

But I wasn't able to login, the error message is something along the line:

AADB2C: An exception has occured. Correlation ID: <GUID>. Timestamp: <Time>

Furthermore, when viewing the walkthrough in latest master, the whole page has been removed and now only contains the link to https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom, which does not show how to configure ClaimsProvider for multi-tenant Azure AD IDP.

The error message was not super helpful, and I'm getting lost.

My technical profile is as follow:

<ClaimsProvider>
    <Domain>AzureAD</Domain>
    <DisplayName>Login using Azure AD</DisplayName>
    <TechnicalProfiles>
        <TechnicalProfile Id="AzureADProfile">
            <DisplayName>Azure AD</DisplayName>
            <Description>Login with your Azure AD account</Description>
            <Protocol Name="OpenIdConnect"/>
            <OutputTokenFormat>JWT</OutputTokenFormat>
            <Metadata>
                <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
                <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
                <Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
                <Item Key="client_id">MyAzureADB2CAppId</Item>
                <Item Key="IdTokenAudience">MyAzureADB2CAppId</Item>
                <Item Key="response_types">id_token</Item>
                <Item Key="UsePolicyInRedirectUri">false</Item>
                <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
                <Item Key="scope">openid</Item>
                <Item Key="HttpBinding">POST</Item>
            </Metadata>
            <CryptographicKeys>
                <Key Id="client_secret" StorageReferenceId="B2C_1A_B2CSecret"/>
            </CryptographicKeys>
            <OutputClaims>
                <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
                <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
                <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
                <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
                <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
                <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
                <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="azureADAuthentication" />
                <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureAD" />
            </OutputClaims>
            <OutputClaimsTransformations>
                <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
                <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
                <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
                <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
            </OutputClaimsTransformations>
            <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
        </TechnicalProfile>
    </TechnicalProfiles>
</ClaimsProvider>

EDIT: After introducing User Journey Recorder as per spottedhahn's suggestion, I've managed to get the real error:

The response received from the ClaimsProvider using TechnicalProfile 
"<My_Azure_AD_Common_Profile>" in policy "<My_RP_Policy>" of tenant 
"<My_B2C_Tenant>" did not contain an "id_token".

The question is: Is linking multi-tenant Azure AD to Azure AD B2C still supported, and how can I configure to make that work?

Answer 1

When federating Azure AD B2C with Azure AD's common endpoint, you can integrate with either:

• The v1.0 endpoint: https://login.microsoftonline.com/common/oauth2/authorize
• The v2.0 endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

v1.0 endpoint

To integrate Azure AD B2C with the v1.0 endpoint, you must register Azure AD B2C through the Azure portal with your Azure AD tenant:

1. Sign in to the Azure portal.
2. In the top bar, select your Azure AD directory.
3. In the left bar, select All services and find "App registrations".
4. Select New application registration.
5. In Name, enter an application name, such as "Azure AD B2C".
6. In Application type, select Web app / API.
7. In Sign-on URL, enter https://login.microsoftonline.com/te/<tenant>/oauth2/authresp, where you replace <tenant> with the name of your Azure AD B2C tenant (such as "contosob2c.onmicrosoft.com").
8. Select Create.
9. Copy Application ID for later.
10. Select Settings and then select Keys.
11. In the Passwords section, enter a password description, select a password duration, select Save, and then copy the password value for later.

You must then create a policy key (e.g. "AzureADClientSecret") through the Azure AD B2C portal with the application secret from step 11.

You must then update the Azure AD technical profile with the following settings:

<TechnicalProfile Id="AzureADAccountProfile">
  <DisplayName>Log in with your work account</DisplayName>
  <Protocol Name="OpenIdConnect"/>
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
    <Item Key="client_id"><!-- Enter the application ID from step 9 --></Item>
    <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="IdTokenAudience"><!-- Enter the application ID from step 9 --></Item>
    <Item Key="response_types">id_token</Item>
    <Item Key="scope">openid</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
    ...
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>

v2.0 endpoint

To integrate Azure AD B2C with the v2.0 endpoint, you must register Azure AD B2C through the Application Registration portal with your Azure AD tenant:

1. Sign in to the Application Registration portal.
2. Select Add an app.
3. In Application Name, enter an application name, such as "Azure AD B2C", and then select Create.
4. Copy Application Id for later.
5. In the Application Secrets section, select Generate new password and then copy the password value for later.
6. In the Platforms section, select Add Platform, select Web, and then enter a Redirect URL as https://login.microsoftonline.com/te/<tenant>/oauth2/authresp, where you replace <tenant> with the name of your Azure AD B2C tenant (such as "contosob2c.onmicrosoft.com").
7. In the bottom bar, select Save.

You must then create a policy key (e.g. "AzureADClientSecret") through the Azure AD B2C portal with the application secret from step 5.

You must then update the Azure AD technical profile with the following settings:

<TechnicalProfile Id="AzureADAccountProfile">
  <DisplayName>Log in with your work account</DisplayName>
  <Protocol Name="OpenIdConnect"/>
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
    <Item Key="client_id"><!-- Enter the application ID from step 4 --></Item>
    <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
    <Item Key="HttpBinding">POST</Item>
    <Item Key="IdTokenAudience"><!-- Enter the application ID from step 4 --></Item>
    <Item Key="response_types">id_token</Item>
    <Item Key="scope">openid profile</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
    <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="client_secret" StorageReferenceId="B2C_1A_AzureADClientSecret"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="enterpriseAuthentication" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="tid" />
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid" />
    ...
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="ReferenceId="SM-Noop" />
</TechnicalProfile>