I want to create Azure AD B2C Signup flow that accepts a phone number and password. I don't want to enforce phone number verification.
I also want to create a login flow that accepts the phone number and password.
Please how can I create these kind of signup and login user flows?
I have tried to modify the existing user flows, but it seems there is no way to remove the phone number verification.
I have been looking at the Identity Experience Framework and I can't find a documentation for phone signup or login using Identity Experience Framework.
For phone signup and signin using Identity Experience framework you can refer https://github.com/azure-ad-b2c/samples/tree/master/policies/signup-signin-with-phone-number
There is no direct way to skip the phone verification step. However, you can bypass the SMS code for a specific phone as mentioned here.
Related
We have below requirement:
We are creating B2C users (with random password) using Graph API from our Asp.Net Core Web API.
We want to send welcome email to the user along with some link so that user can directly launch the "Password Reset" page and then can login to his application after setting the password.
As per my research, Different Solutions and their cons:
User login and follow the forgot password journey from login but that's bit annoying for new users. How would they know that they have to follow forgot password journey on 1st login.
Implement "Forced to reset password on 1st Login" policy - but for this policy, user should know his initial password.
Using REST API - we can't use REST api in custom policy as we are creating user using Graph API.
Is there any better way to send email to user on creation(using graph API)?
Any help is much appreciated.
Thanks in advance,
Anu
You can send out an "invite" link via email after creating the account via Graph API, which, when the user opens from their inbox, they can use it to set a new password at AAD B2C, and are immediately logged in to the app once completed (or you can do other things in the journey if you like).
This uses the id_token_hint concept demonstrated here.
I am developing an app in flutter that uses Azure AD B2C phone factor as signin/signup, and that part of it Works fine.
But as i have to submit my app to the app store and google play, i need to create some kind of static "guest" login for the testers to use, so that they dont need to user their own phone number and verify it that way through.
But i cant find Any solution to this.
Has anyone had the same issue or are using azure adb2c phone factor as login and found a way to solve the problem?
As its the only way of logging into the app, it is crucial to get working before i can get the app reviewed.
Thanks.
Currently phone factor mock out is not possibile. You can build your own to allow TOTP (Phone App) and Fido2 authenticators.
Please raise user voice feedback. This will help the product team evaluates such feature.
Using Azure AD B2C with 'Email' specified for the user id.
I've tested the 'Sign up' and 'Sign up v2' user flows in Azure AD B2C. Both of these require the user to verify their email address by sending/entering a verification code. I've enabled MFA for both of these flows, so the mobile number needs to get verified as well.
The product guys have asked if its possible for email verification to be done asynchronously e.g. an email getting sent to the user, but they can verify this (e.g. via a hyperlink in the email) in their own time without having to enter a verification code during the registration process. Is this possible?
FYI. I think the reasoning from the product guys is that MFA via SMS to their mobile is enough. Multiple verifications (i.e. for email AND mobile) is a bit too much in terms of the UX...
One potential solution.
It's possible to disable email verification:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-disable-ev
Can then do and then do external orchestration to send async email. When they click on the link, we can update the verification status via MS Graph API. Don't love this solution, but it's an option...
In normal Azure AD authentication we will authenticate to Azure AD using a valid AD username and password. But consider a situation,
In our current situation there is no user present. Instead of that we have only a physical device like (iPhone / Android) Phone present.
So my doubt is, without a valid username & password is it possible to authenticate to Azure AD by using a Device ID or IME Number.
In my use case, I am creating a retail mobile application in which a sales man and a shop present, for salesman we have a username and password. But for the shop the retail outlet, our client will give a physical device; So by using the ID or configuring it in Azure is it possible to bypass the login.
So my doubt is, without a valid username & password is it possible to
authenticate to Azure AD by using a Device ID or IME Number.
No, it's not possible to achieve this.
Why:
For Native Application, Azure AD use OIDC/OAuth 2.0 for authorization and authentication. This also needs to user sign in AAD with their credentails:
For your scenario:
I understand what do you want to approach. But it's not possible. Although AAD is very powerful, but it cannot leave out User Identity. Even Intune is a device management service and can mange mobile devices, but it also needs to enroll devices with a user identity.
One method which can leave users sign in is Oauth client_credentials flow, but it's for service to service call. It's not for Native Application and even this flow cannot use device ID.
So, what I suggest is :
Though use Device ID to authentication is a easy way to do authorization, but AAD doesn't support this. If you feel it's trouble to let user login your app with user credentials, you can try to use AAD B2C. With AAD B2C, the user can use social account to sign-up and sign-in your application.
Hope this helps!
Within the InfoQ or IBM CodeRally pages, is there a way to check / reconfirm the account details entered during registration process? Having used Google OAUTH, can one also provide twitter OAUTH details?
The only way to confirm which social media account is linked to a username is to try and login with them.
You cannot link more than one OAuth login to the same username, but one OAuth login can be linked to as many usernames as you like. If you want to use a different OAuth to the one you registered with you will need to go back to InfoQ's page and register again with a different username and your preferred social media account login.