Hi,
My power pages is setup to use the Azure AD authentication within my tenant -
Now, we do not want the user to use the default registration method in the the power pages. Instead, they provide their profile information using a multistep form that records the First Name, Last Name and email address in the contact table.
Once an admin approves the contact record (by changing some field status), a power automate is called and a guest account is created for the user in our Azure AD. The user gets an email to set their password in Azure AD. All this is working fine.
We now want the user to use their Azure AD login to access the portal and connect to the existing contact record that was created. For this we made the following setting -
Also, we switched off the "Open Registration" option.
But, when the user then tries to login with the user id and password, we get this error -
But, this starts to work when the "Open Registration" is turned on. But, this is an issue for us as this now allows any one in the Azure AD to log in. We only want the users who are in the Contact table and with corresponding Azure AD guest account to be able to log in to the portal.
Any help is greatly appreciated.
If you want Open Registration off then you probably have 2 options:
Als0, you could use the settings the enable mapping the person to the Contact record by email address, but in some cases this may be considered risky it is in the advanced settings when you configure the Identity Provider for your Power Pages see Contact Mapping with Email here https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider#additional-settings-in-power-pages
I have requirements that are almost similar. Please find below the site-marker settings. The below markers setting should work
Maybe I did not explain clearly enough, but hiding the registration tab with javascript is not necessary.
If you link the contact record (the portal user) to the AD guest account by adding/checking if the external identity record is present - you can use the login without having the 'Allow registration' setting active - because it is set to false it will not render the registration tab.
For now we have used a bad hack to hide the registration view using javascript.
We are pretty unhappy with the product that we have to write javascripts (which end users can disable) to do even basic configs.
<script type="text/javascript">
var link = document.querySelector('a[href="/Account/Login/Register?returnUrl=%2F"]');
link.style.display = 'none';
</script>
If you create both the Azure AD account and the contact record you could also create a linked external identity record - what is essentially what happens when the open registration is enabled. As long as you set the correct username (the Object ID of the Azure AD user account) and Identity Provider (something like https://sts.windows.net/<tenant-id>) it should work.