Search code examples
azureoauthazure-active-directoryazure-ad-b2cazure-ad-b2c-custom-policy

How does Azure AD B2C users invited via Graph API can sign up after accepting the invite?

I am setting up Azure Active Directory B2C for my new application. According to the requirements, I need to send an invite for the users to sign up and only the invited users should be able to sign up. There doesn't seem to be an easy way to do this.

Currently, I send an invite to the user with Azure Graph SDK[1]. This actually creates the user in the AD and sends an email with the invitation redeem url to the user. Once the user clicks that, invitation is redeemed and user is sent to a redirect URL.

But the invitation is redeemed via a OTP and the user does not get prompt to actually sign up. It looks like I have to redirect them to public sign up page again to sign up which does not make any sense.

My requirement is for the (only) invited user to get directed to the sign up page and complete the registration which does not happen. How can I achieve this and what is the point of accepting the invite and redeeming the invitation if it does not sign the user up? Would be important if we can do this without a custom policy because this is a trivial use case

Additional question: Once the invitation is redeemed, there doesnt seem to be a way to let my app know the invitation is redeemed. I was assuming the redirect uri would have some parameters which I can use to identify the user which I can use to update my app. But it doesn't seem to have any parameters as well.

[1] https://learn.microsoft.com/en-us/graph/api/invitation-post

Solution

  • Short answer: you can't use the invitation API for B2C users.

    Long answer:

    The invitation API creates a B2B user, not a B2C user. Since Azure AD B2C tenants are also Azure AD tenants, it has this feature. It is meant to be used to invite administrators into the tenant so they can manage users etc. But if you need a user that can sign in to your apps with B2C user flows/custom policies, you can't use the invitation API.

    You'll need to customize the B2C flows to validate an invitation code (in the URL) and only then accept the sign up. You can also use a signed JWT to input claims into a custom policy. You also need to send the email yourself.

    I've only implemented something like this with custom policies so I'm not sure if it'd be possible with regular user flows.

    Example using B2C custom policies: https://github.com/azure-ad-b2c/samples/tree/master/policies/invite-via-email