Pre-register users with Azure AD B2C

Question

I would like to pre-register a limited number of users which can use my application. This are the requirements:

• Users should be able to reset their password on their own
• No other users than the preregistered users can sign up
• Ideally, the user can choose the login email address by himself (no @app.onmicrosoft.com login).

Now I'm having trouble to have all requirements fullfilled together.

I was able to preregister @app.onmicrosoft.com users in the Azure Portal. But since the user can't get emails on @app.onmicrosoft.com, a password-reset-policy would not make sense. I tried to specify alternate-email and a phonenumber in the user-profile, but unfortunately the password-reset-policy is not using it for verification.

Let's say I create a sign-up policy: This is nice - the user choose his own email. Password resetting would also work. However, I can't control who's signing up and getting valid access tokens. In the portal, under Enterprise Applications, I found my registered application (All Applications) where I can set an option "User assignment required?" to true. But this does not seem to work in the B2C context, right? I expected, that until I assign a user to this application, the user is not getting a token on sign-in, but this wasn't the case. Here I found a similar question about creating users. Any advice on creating users including passwords etc. using Microsoft Graph (since it's recommended to use it over Graph API)?

I also tried to invite users as guests. They have to create a microsoft account, resetting passwords would be solved through microsoft, but unfortunately, no redirect to microsoft login happens after entering the microsoft account email address.

Deleting the signup policy after initial registration is a bad option if more users have to be onboarded.

Ideally, I would like to preregister users as if they signed up by their own - but with no signup policy.

Any advice? What do I miss?

Answer 1

You can implement the activation/invitation scenario that is described here and implemented here.

This scenario activates/invites a new user by creating/pre-registering a local account in the Azure AD B2C directory through the Azure AD Graph and then sending a signed redemption link to the email address for this local account.

This redemption link directs the new user to the Password Reset policy.

Answer 2

Currently creating users in a B2C tenant with a "local account" is not supported in Microsoft Graph. For this you'll need to use Azure AD Graph for now (see creating a user with a local account). Please see this blog post for details and line item 12 in the table.

We hope to add this capability as soon as we can to Microsoft Graph.

Hope this helps,