none
Azure Web app with AAD User without using Microsoft Account

    Question

  • Hi,

    Short question. Currently we have a Web app that is connected to our AAD. The app works fine as long we use a Microsoft accounts. But i was wondering if we could use a non Microsoft account too.

    So we add (invite) using AAD a new user named "michel @ mailhoster . com"  the invited user accepts the email. And the AAD account will be setup as a Guest account. Next the user can access the Web app ect....

    Currently it looks like only Microsoft accounts (live/com / outlook / hotmail ect) can use the invite , because when i use the "michel @ mailhoster . com" invite it always asks me to create an Microsoft account...

    Yes i know of the other build in authentication providers as linkend or google ect but at this moment we don't want to use this.

    thanks for any response!

    Michel

    Monday, March 13, 2017 7:10 PM

All replies

  • Are you using Azure AD B2C?

    Are you talking about using arbitrary email address (for example, joe@comcast.net, bob@gmail.com, sarah@contoso.com, or jim@live.com)? If you could elaborate more on your ask for us to assist you better.

    If possible, share the article you are refer to or a screenshot where you get an invite option.

    Tuesday, March 14, 2017 3:55 PM
    Moderator
  • Hi,

    Yes, i want to create local accounts using arbitrary email address's . We are not using B2C . I know we can do this using B2C but i was wondering if we could do the same with AAD too ?

    And next question: If we now create a user in AAD , this user can also go to the  portal.azure.com and logon. Is there a why to disable this , will this also be using B2C ? 

    at this moment i can't apply screenshots or links.

    Thanks,

    michel

    Tuesday, March 14, 2017 4:05 PM
  • 1. It’s not supported today on Azure AD without b2c.

    2. If you create a user in AAD, it will have permissions at the directory level not at the subscription level. If you're an admin for the subscription, you can assign a permission to the user created in AAD to login to the portal and access Azure resources under your subscription.

    See this link for details about admin roles - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

    Wednesday, March 15, 2017 7:28 PM
    Moderator
  • Thanks,

    So B2C to use. Okay.

    But for the azure portal logon question. I was indicating if using NO B2C, could we completely make it not possible for the user to logon to the azure portal ?

    And if not will B2C have this option ?

    Because it makes no sense that when i use ADD or B2C for creating users for my published application that the user could also logon to the azure portal. I know they can't do anything but it would be better that the just can't do it at all.

    Thanks,

    Michel

     

    Thursday, March 16, 2017 6:49 AM
  • First,  this is not an Azure AD B2C question.

    Second, the answer is no this cannot be prevented.

    A user created in an AAD tenant (like user@tenantname.onmicrosoft.com) – can login to the Azure portal – and see nothing.  This is true of AAD tenants and AAD b2C tenants when the user is created via the admin portal.  I am not aware of any way to prevent this.

    A B2C user created with any email –B2C users are typically self-registered using a B2C journey - will NOT be able to login to the Azure portal.  

    Thursday, March 16, 2017 7:04 PM
  • A user created in an AAD tenant (like user@tenantname.onmicrosoft.com) – can login to the Azure portal – and see nothing.  This is true of AAD tenants and AAD b2C tenants when the user is created via the admin portal.

    A B2C user created with any email –B2C users are typically self-registered using a B2C journey - will NOT be able to login to the Azure portal.  They can also be created using Graph.

    Thursday, March 16, 2017 7:04 PM
    Moderator