We created Sign Up and Sign In userflow for our B2C application to authenticate users.
Everything is working fine. But I want to categorize signed in users and signed up users.
I checked the logs but there is no much difference. How to identify who are new users and who are existing users?
PS: Userflow is Sign Up and Sign In with username
EDIT: I am unable to get new flag in token claims even after adding application claim
There is a User is new (newUser) claim available within the Sign-up or sign-in policy that you can enable:
This will add the "newUser" flag to your token and it is true when the user sign up for the first time.
Related
Azure B2C User Flow SignUp/SignIn with Email/Number.
Requirements:
SignUp with Email/Phone:
while signing up when user click for registration its shows already email/phone number exist but we are looking when user have already have email then it automatically move to login flow.
SignIn with Email/Phone:
while user click on the signin if user not exist then it automatically navigate to the signup page so user dont need to manuly go for signup
Forget Password with Email/Phone:
With the Email/Phone number signin/signup flow there is missing the reset password policy to change password and there is only showing the change phone number option.we need to reset the user password
There is missing the Cenel icon on the phone number signup flow.
I did reproduce your scenario and found that there is currently no prebuild option or system in user flow of Azure AD B2C that when user try to sign and if it has not already signup will redirect to signup page and vice versa.
Azure AD B2C offers various sign-up and sign-in options for users of your applications:
I did Configure my Azure AD B2C local accounts to allow sign-up and sign-in with using email address. There are also other ways with username, phone number, or a combination of methods.
For Forget Password with Email/Phone enable the self-server password under the properties of your created user flow.
Please follow this GIF for apply for Forget Password with email and attribute which I have set for my userflow.
I have shown the demo how my user flow is working please check this GIF as well.
I have redirected my webapp to https://vikashgaurav.com/portfolio/ after successful signing.
Reference : https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow
My scenario is a public website, with authenticated access that is managed by AzureAdB2C, and the authentication is not embedded but on a subdomain style. In the authentication form I see that there's the option for password reset (for someone who forgets it) but my question is when the user is already authenticated and so outside Azure context, how can he ask for a password change?
Is there any endpoint or so (that would receive the email linked to the account)?
Thank you
Still not clear because you mention "fire the change/reset password flow?". Which is it or is it both?
If reset, you can use a custom policy. Just put the link to the policy on your page.
There are a number of password reset flows that may be of interest.
For change password, see here. Again, just put the policy link on the page.
Unsure if you would have to login again.
You can Configure password change using custom policies in Azure Active Directory B2C.
In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their identity through email verification. The password change flow involves following steps:
The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
The user verifies the Old password, and then creates and confirms the New password.
If the question is to reset the password because the user forgot it but is still logged in, I can imagine logging out the user and redirecting them to the login page where they can choose the reset password option.
EDIT:
The Azure AD B2C article Set up self-service password reset for your customers states that
This article applies to self-service password reset used in the context of the standard Sign in user flow, which uses Local Account SignIn as the identity provider. If you need fully customizable password reset user flows invoked from your app, see this article.
Somehow resetting your password with a password reset flow / custom policy while you're logged in and don't 'need' your current password feels weird.
I am looking for powershell script to create local account users in b2c along with authentication method as email for SSPR. Could some one please advise?
That is not how AAD B2C works (although AAD does). In AAD B2C, the User Flow, or User Journey (Custom Policy), dictate what and how the user will reset the password. The default payload to create a B2C user is sufficient for a user to be compatible with a journey that forces the user to validate their email for password reset.
This is because such a journey simply reads their sign in email address and enforces they verify it.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities
I have created a built in sign in user flow for users to sign in.
I am creating users thru power shell script where i have used ForceChangePasswordNextLogin to true. I was expecting users will be shown password change page when they login for the first time, but i always get "Password Expired" error.
Could anyone provide some inputs on this ?
While creating local accounts in B2C via Graph API/powershell, the forceChangePasswordNextSignIn property must be set to false. This is documented here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api#password-profile-property. This generates a temporary password, which is marked as expired and requires the user to provide a new password. Since, in Azure AD B2C there is a different mechanism for resetting password (i.e. by using Password Reset User flows/Custom Policies), users don't get the option to reset the password and only get The password has expired. message. In B2C, administrator accounts cannot be used to reset password or set forceChangePasswordNextSignIn = true for consumer accounts.
As of now, the only possible way to require users to reset their passwords at first logon is by using custom policy: https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon.
My B2C policies are used by a mobile application and having long refresh token expiry date. My requirement is, how we can update the privacy policy and user should accept it to continue using the mobile app without him having to log out and login again.
We can fore users to check a box to accept the "terms of use" when the user signs up or sign in. But if the user already signed in, he must login again to trigger the check.
Here is an sample regaring sign up and sign in with 'Terms of Use' prompt.