Multi-Teant Azure AD auth in b2c with custom policies. about active-directory-b2c-advanced-policies HOT 11 CLOSED

Thanks for the answer. I've managed to make it work. Yes, you are right. It needs to have UsePolicyInRedirectUri set to false. I didn't change my reply urls so I think that the mentioned error is shown where the reply url has nothing in common with the error and does not cause it.

from active-directory-b2c-advanced-policies.

@rojasja for awareness

We do not support multi-tenant apps or the /common endpoint. I would recommend requesting the feature here to help us prioritize it.

from active-directory-b2c-advanced-policies.

According to this: active-directory-b2c-advanced-policies/Walkthroughs/IdP-AzureAD.md
it is supported. However when I set it up, i get an error: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*' although the reply URLs have been configured and set to:
https://login.microsoftonline.com/(B2Ctenant).onmicrosoft.com and https://login.microsoftonline.com/te/(B2Ctenant).onmicrosoft.com/oauth2/authresp
I also want to emphasize that this was working last Friday (15th of September 2017). I didn't change custom policy configuration at all and it didn't work anymore on Monday.
May I have an official confirmation that MultiTenant B2C custom policy still can't be configured or any hint about this error?

from active-directory-b2c-advanced-policies.

@tomidix we have been using multi-tenant auth for a while now and it does work. Perhaps share the configuration of your technical profile

from active-directory-b2c-advanced-policies.

@monteledwards here is the whole ClaimsProvider, App to which TechnicalProfile is referenced is created on portal.azure.com -> AD B2C -> Applications (not on identity.microsoft.com nor apps.dev.microsoft.com; I tried applications from there too but they didn't work either).
The process of login starts normally, user logins ok, on a first run user consent is invoked, and after that there is an error which I mentioned in previous post.

<ClaimsProvider>
  <Domain>MultiTenant</Domain>
  <DisplayName>Login using Azure AD</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="MultiTenantProfile">
      <DisplayName>AzureADAccount</DisplayName>
      <Description>Organizational or Microsoft Account</Description>
      <Protocol Name="OpenIdConnect"/>
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
        <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
        <Item Key="authorization_endpoint">https://login.windows.net/common/oauth2/v2.0/authorize</Item>
        <Item Key="client_id">{AppID}</Item>
        <!-- AppID from B2C tenant's WebApp Application -->
        <Item Key="IdTokenAudience">{AppID}</Item>
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
        <Item Key="scope">openid profile</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="response_types">id_token</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_MultiTenantSignInKey"/>
        <!-- AppSecret from B2C tenant's WebApp Application, saved to policy keys in Azure -->
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="oid"/>
        <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="contosoAuthentication" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureADContoso" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

from active-directory-b2c-advanced-policies.

The application that is to be configured in your technical profile needs to be registered as a regular AAD application. I recommend you start over using the guide here
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Verify that you can sign in to your own tenant, and then switch the configuration over to multi-tenant by enabling the app to be multi-tenant, and then update your TP configuration

from active-directory-b2c-advanced-policies.

I did that before and got an error: AADSTS70001: Application 'AppId' is not supported for this API version.
I didn't try at all to use MultiTenant v1 for TP config because we have to use MSAL, so only v2 plays a role for us. Do you use MultiTenant v1 or v2?
Now I tried to create new, converged (v2) app in the regular Azure AD of my regular tenant (not b2c tenant) but it finished with the same error as before: AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'

Verify that you can sign in to your own tenant...

I can do that, this works and I have no problem with this step. Only the multi-tenant doesn't work.

Thanks for your help!

from active-directory-b2c-advanced-policies.

This error:

AADSTS50011: Reply address '' specified by the request is not a valid URL. Allowed schemes: '*'

Is a bug on the AAD side that hides the real error which is that your reply URLs don't match.
I would double check that the reply URL on the AAD side (the v1 multi-tenant app, not the B2C app).

Also, double check that you are setting:

<Item Key="UsePolicyInRedirectUri">false</Item>

from active-directory-b2c-advanced-policies.

I am using custom policy which is integrated with B2B and B2C as per link https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom. I am able to get the username and email from B2B users after adding

in relying party but not able to get the all the user details for B2C users.

from active-directory-b2c-advanced-policies.

from active-directory-b2c-advanced-policies.

@parakhj is the multi-tenant scenario still not available in B2C?

from active-directory-b2c-advanced-policies.