SSO using Azure AD B2C

I’m setting up a website that will use Azure AD B2C for user registration and authentication. I’ve set up two web applications (MVC.NET applications) for testing and confirmed that SSO works as expected between them. Now I want to configure Grafana to also use the same B2C tenant to enable SSO between the web app and Grafana.

I’ve followed the guide in Configure generic OAuth2 authentication | Grafana documentation to get it working with Azure AD, but it doesn’t seem to integrate nicely with AD B2C. Users that I have created in my B2C tenant are not available. I get the following error from Azure AD when I try to login with one of my local B2C users:

AADSTS50020: User account ‘’ from identity provider ‘live.com’ does not exist in tenant ‘’ and cannot access the application ‘’() in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

This is the config I tried:

[auth.generic_oauth]
name = Azure AD
enabled = true
allow_sign_up = false
client_id = <app-id>
client_secret = <client-secret>
scopes = openid profile
auth_url = https://login.microsoftonline.com/<tenant>.onmicrosoft.com/oauth2/authorize
token_url = https://login.microsoftonline.com/<tenant>.onmicrosoft.com/oauth2/token
api_url = 
team_ids =
allowed_organizations =

So instead I thought I’d try to use the B2C endpoints instead with the following configuration:

[auth.generic_oauth]
name = Azure AD
enabled = true
allow_sign_up = false
client_id = <app-id>
client_secret = <client-secret>
scopes = openid profile
auth_url = https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/b2c_1_<policy>/oauth2/v2.0/authorize
token_url = https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/b2c_1_<policy>/oauth2/v2.0/token
api_url = 
team_ids =
allowed_organizations =

Running this brings me to the login screen and it seems that I can login but after the login when I get redirected to /login/generic_oauth I get an login.OAuthLogin(NewTransportWithCode) error.

Checking the Grafana logs reveals this error:
t=2019-11-29T14:48:11+0100 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="oauth2: server response missing access_token"

So it seems like I can’t really use the B2C interface from Grafana. I’ve spent several hours now trying to get to the root of this but it’s really confusing.

Does anyone know what the problem is, or if there is some other strategy to achieve what I’m trying to do? Using Azure AD B2C is pretty much a requirement since this will integrate with our other Azure services and this will be a user-facing website with potentially thousands of external users. I’d really appreciate some help, or else we might have to go with a totally different solution.

Did you find any solution on this? I’m having the exact same error

This is what I’m running now and it works for me:

[auth.generic_oauth]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = <client id>
client_secret = <client secret>
scopes = openid profile <URL to API permission configured in B2C>
auth_url = https://<your tenant>.b2clogin.com/<your tenant>.onmicrosoft.com/<sign_in_policy>/oauth2/v2.0/authorize
token_url = https://<your tenant>.b2clogin.com/<your tenant>.onmicrosoft.com/<sign_in_policy>/oauth2/v2.0/token
email_attribute_path = emails[0]
2 Likes

Thanks for the input.
It seems the part that I was missing was the email_attribute_path = emails[0]
In the scopes I tried to use the URL but it didn’t work for me. I used the client_id instead and it worked perfectly.

1 Like