问题
I am working on Azure AD B2C for my Angular 6 front-end App and consuming Microsoft Graph API in order to change the singed-in user's password. I am getting the access_token using the Authorization Code flow.
It works fine when the user has a username like xyz@myb2cname.onmicrosoft.com, I get an access_token and then call https://graph.microsoft.com/v1.0/users/{id}/changePassword.
But when I try to do the same for users with a username like xyz@gmail.com or abc@hotmail.com, I get an error when acquiring the access_token from Authorization Code flow (grant_type=password). Note: These users are "local" accounts in my AAD B2C tenant
Following is the error message I get:
{
"error": "invalid_grant",
"error_description": "AADSTS50034: To sign into this application the account must be
added to the myb2cname.onmicrosoft.com directory.
Trace ID: 8fcae061-5088-4393-9e5b-d0a83d1d0a00
Correlation ID: 0dc6c906-c54b-4cd8-ae8b-46f3f6118e40
Timestamp: 2018-08-01 06:16:55Z",
"error_codes": [
50034
],
"timestamp": "2018-08-01 06:16:55Z",
"trace_id": "8fcae061-5088-4393-9e5b-d0a83d1d0a00",
"correlation_id": "0dc6c906-c54b-4cd8-ae8b-46f3f6118e40"
}
How can I call changePassword for users who are signed in using the email identity provider (SignIn-SignUp Policy) when their username looks like xyz@gmail.com or abc@hotmail.com instead of xyz@myb2cname.onmicrosoft.com?
回答1:
When an external user signs into your AAD, it does not create a traditional user with a traditional password, it creates a "guest" user. The actual user remains in the originating AAD tenant, your AAD tenant only stores a placeholder for that user.
You cannot change a guest user's password since your AAD doesn't actually have a password assigned to that user. Your AAD holds the authorization (what the user has access to) but relies on the user's AAD for authentication (the user is who they claim to be).
回答2:
It is the expected behavior. You need to understand AD clearly before implementing it.
In Azure AD, to authenticate a user against a Directory, the user should be a part the Active Directory. The users, who are not a part of the Active Directory will not be authenticated. The token gets generated only when the user is authenticated.
Trying to generate a token for a user who is not a part of the Active Directory is similar to logging into Azure Portal with a invalid user account.
回答3:
You can't change passwords for local account users using the Microsoft Graph API because, currently, an Azure AD B2C application can't be registered with the Microsoft Application Registration Portal and, therefore, it can't be used with the Microsoft Graph API.
You should change passwords for local account users using a custom policy.
This means the Azure AD B2C application doesn't have to collect either the current or new passwords for users.
回答4:
I ran in the same situation where I was able to create and update the user in AZURE AD-B2C but not able to delete or reset the password. Because Currently, the Read and write directory data permission does NOT include the ability to delete users or update user passwords
Configure delete or update password permissions for your application
To archive this I had to follow the above link and it worked like a charm.
来源:https://stackoverflow.com/questions/51627004/error-aadsts50034-when-attempting-to-change-password-for-local-azure-ad-b2c-user