Federation vs sign-up vs guest in Azure AD B2C
I’ve answered a few questions lately about this over on stackoverflow.
Guest accounts
B2C does not have a concept of a guest account, and you cannot invite users (in terms of sending an email invite). The invite in the portal is only for creating another admin.
Federation
This is where a user clicks a button on the login screen and logs in to another Entra ID tenant or another IDP.
You can do this with OIDC or SAML 2.
This creates a “shadow account” in B2C, i.e. an account referenced by alternativeSecurityId rather than objectId.
If you click on the Identities link in the user record, you see, e.g.:
"identities": [
{
"signInType": "federated",
"issuer": "https://sts.windows.net/123456/",
"issuerAssignedId": "2ce...588"
},
{
"signInType": "userPrincipalName",
"issuer": "tenant.onmicrosoft.com",
"issuerAssignedId": "cpim_2e7...561@tenant.onmicrosoft.com"
}
],So, you have a federated identity and a created UPN identity.
These users cannot “sign up” as a local user by clicking a B2C sign-up link because they are managed in the federated tenant (e.g., MFA, password), not in B2C.
There is a list of supported IDPs here.
For an IDP not in the list, use the generic identity provider using OIDC.
You need a separate Identity provider (user flow) or a separate Technical profile (custom policy) for each federation.
Or, for custom policies, you could use Home Realm Discovery.
If the federated IDP is Entra ID, the user will sign in with a domain-joined account, e.g. joe@tenant.microsoft.com.
If the user has a Microsoft account (MSA / Windows Live), use this IDP. These accounts are not domain-joined, e.g. joe@some-smtp-provider.com.
Sign up
The only way in B2C for the user to sign up is from the B2C login screen.
All good!
