We have an OpenID connect in identity providers to authenticate AD users in ADB2C domain on UI. We created ADB2C users with temp password using graph before. But now I need to create a federated user who will be able to sign in using AD credentials. We also removed sign-up flow and left only sign-in as we want only create users via graph. I have the following code:
var newUser = new User
{
AccountEnabled = true,
DisplayName = user.DisplayName,
GivenName = user.FirstName,
Surname = user.Surname,
Mail = user.Email,
MobilePhone = user.Telephone,
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = true,
Password = PasswordGenerator.GeneratePassword(16),
},
Identities = new List<ObjectIdentity>
{
new ObjectIdentity
{
SignInType = "federated",
Issuer = "https://login.microsoftonline.com/<AD TENANT>/v2.0",
IssuerAssignedId = "<USER'S OBJECT ID FROM AD>",
}
},
AdditionalData = new Dictionary<string, object>
{
{ "IsAdmin", user.IsAdmin },
},
CreationType = null
};
var res = await _graphClient.Users.PostAsync(newUser);
But when I clicked 'sign in with AD' on UI and entered AD user's credentials, I got the following error: AADB2C99002: User does not exist. Please sign up before you can sign in.
Basically when you configure the identity provider in B2C, you specify the claim that will be used to identify the user. By default in OpenID Connect it is the "sub" (subject) claim. If possible, you could change it to use "oid" (object ID) claim instead. You can read about their differences here: https://learn.microsoft.com/en-us/azure/active-directory/develop/id-token-claims-reference#payload-claims.