尝试使用来自外部域的用户名更改本地Azure AD B2C用户的密码时出现错误AADSTS50034 [英] Error AADSTS50034 when attempting to change password for local Azure AD B2C users with a username from an external domain

问题描述

我正在为我的Angular 6前端应用程序开发Azure AD B2C，并使用Microsoft Graph API来更改传入的用户密码.我正在使用授权码流程获取access_token.

I am working on Azure AD B2C for my Angular 6 front-end App and consuming Microsoft Graph API in order to change the singed-in user's password. I am getting the access_token using the Authorization Code flow.

当用户具有类似xyz@myb2cname.onmicrosoft.com的用户名时，它工作正常，我得到一个access_token，然后调用https://graph.microsoft.com/v1.0/users/{id}/changePassword.

It works fine when the user has a username like xyz@myb2cname.onmicrosoft.com, I get an access_token and then call https://graph.microsoft.com/v1.0/users/{id}/changePassword.

但是，当我尝试对用户名如xyz@gmail.com或abc@hotmail.com的用户执行相同操作时，在获取access_token from授权码流(grant_type=password)时出现错误. 注意:这些用户是我的AAD B2C租户中的本地"帐户

But when I try to do the same for users with a username like xyz@gmail.com or abc@hotmail.com, I get an error when acquiring the access_token from Authorization Code flow (grant_type=password). Note: These users are "local" accounts in my AAD B2C tenant

以下是我收到的错误消息:

Following is the error message I get:

{
    "error": "invalid_grant",
    "error_description": "AADSTS50034: To sign into this application the account must be 
                          added to the myb2cname.onmicrosoft.com directory.
                          Trace ID: 8fcae061-5088-4393-9e5b-d0a83d1d0a00
                          Correlation ID: 0dc6c906-c54b-4cd8-ae8b-46f3f6118e40
                          Timestamp: 2018-08-01 06:16:55Z",
    "error_codes": [
        50034
    ],
    "timestamp": "2018-08-01 06:16:55Z",
    "trace_id": "8fcae061-5088-4393-9e5b-d0a83d1d0a00",
    "correlation_id": "0dc6c906-c54b-4cd8-ae8b-46f3f6118e40"
}

对于使用电子邮件身份提供商(登录-注册策略)登录的用户，其用户名看上去像xyz@myb2cname.onmicrosoft.com的xyz@gmail.com或abc@hotmail.com instead一样，我该如何呼叫changePassword?

How can I call changePassword for users who are signed in using the email identity provider (SignIn-SignUp Policy) when their username looks like xyz@gmail.com or abc@hotmail.com instead of xyz@myb2cname.onmicrosoft.com?

推荐答案

当外部用户登录您的AAD时，它不会使用传统密码创建传统用户，而是创建了来宾"用户.实际用户仍保留在原始AAD租户中，您的AAD租户仅存储该用户的占位符.

When an external user signs into your AAD, it does not create a traditional user with a traditional password, it creates a "guest" user. The actual user remains in the originating AAD tenant, your AAD tenant only stores a placeholder for that user.

您不能更改访客用户的密码，因为您的AAD实际上没有为该用户分配密码.您的AAD拥有授权(用户有权访问的权限)，但依赖于用户的AAD进行身份验证(用户就是他们声称的身份).

You cannot change a guest user's password since your AAD doesn't actually have a password assigned to that user. Your AAD holds the authorization (what the user has access to) but relies on the user's AAD for authentication (the user is who they claim to be).

这篇关于尝试使用来自外部域的用户名更改本地Azure AD B2C用户的密码时出现错误AADSTS50034的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！