Firebase Auth: How can I pre-create Auth Users for signin with the microsoft provider?

Question

I want to assign roles to users that are known beforehand, so they have the appropriate permissions when they sign up. I thought I could pre-create the Auth Users via the Admin API without linking a provider and, if a user exists, they would be linked automatically on signin because the email matches.

This did not work, either Firebase creates another user with the same email and another UID or complains that a provider is linked, even though there is none.

I already thought about implementing a custom token to convert the active directory login token and newly generated firebase user to match the existing user.

I have the users' claims data in firestore. I would, if possible, like to keep the users ID, which makes it difficult to just update the claims on the new Auth Object.

Answer 1

Firebase Auth will match the objectId attribute (e.g. 8066569b-7203-4894-8552-4be01e28d2a2) of users that sign into your applications via Microsoft against the uid value of the microsoft.com provider attached to your Firebase Auth users in their providerData. As long as you know the objectIds for your Microsoft users prior to their first logins, you can create Firebase Auth accounts in 2 steps via the Admin SDK (Example for Node JS):

1. (Attempt to) create the user - possibly handling the case where users have already created an account in your application using their microsoft account or another provider that shares the same email address as their microsoft account, if you want to prevent this.

const user = await admin.auth().createUser({ email: userName }).catch(() => {/* TODO */})

2. Link the microsoft.com provider, passing in the objectId as the uid for the 'microsoft.com' providerToLink and add the rest of the user information

let updatedUser = await admin.auth().updateUser(user.uid, {
    displayName,
    emailVerified: true,
    disabled: active === false,
    providerToLink: {
        providerId: 'microsoft.com',
        displayName,
        email: userName,
        uid: externalId // e.g. 8066569b-7203-4894-8552-4be01e28d2a2
    }
})

This setup can be used to create the POST /Users SCIM endpoint that supports provisioning from Azure AD into firebase Auth. After creating a new enterprise app, just ensure in the attribute mappings configuration inside provisioning configuration for Users, the objectId attribute is mapped to something your endpoint will receive e.g. externalId is used above.