We are considering to start with the built-in user flows for our application in B2C. We want to benefit from the standard flows to register users, have forgotten password workflow in place, have MFA, etc...
However, as business requirements for our platform might (and will) change over time, it could be that the standard user flows are not enough and we might need to switch to custom policies over time.
Therefore, we'd like to know if it is possible to have a migration (export/import?) from the standard configured user flows at that moment, to the XML-based custom policies?
In the Azure Portal, go in to your B2C directory, select your user flow, and click the Download button at the top, it will download an XML file that contains the 'as is' definition of your user flow. You could later on use that for recreating the user flow, though there is no direct "import" option.
Related
After investigating what Azure AD B2C can do, I'm not sure if it can do everything we need it to do through custom policies / we would have to make some compromises. I was thinking of still using it purely for authentication actions against our users: sign in or sign up - local & social media accounts, reset password etc.
However, we also want to collect more details about the user that they either provide at sign up or at a later date, and I'm finding the ability to edit profiles quite lacking.
Therefore I was thinking instead to create a bespoke dot net core or framework application which will act as a 'preference centre' that the user goes through. We will have much greater customisation o this, as we will not be limited to what Microsoft allow through custom policies. The user would either be passed through this application after signing in and before reaching one of our applications, or they can get to it from a link on our applications. All the data that is stored for the user will still be held in the Users section in our Azure AD B2C. Then the application will use the Graph API to query and update the data for the user.
Is this a sensible approach? Or can you recommend something else?
We have our own login page to authenticate users against the Azure B2C directory. What is the right approach to achieve it.
I am not sure if this custom validation would also require policies to be created. Would you be able to point me in the right direction?
If you have designed a custom login page, you need to implement it through UI customization in Azure Active Directory B2C.
Generally speaking, you need to use Custom policies to make it completely.
Besides, client-side JavaScript code in User Flow or Custom policies can be used to design the UI. You can see if it meets your needs.
See more options here.
I want to integrate Multi Factor Authentication (MFA) through Azure Active Directory (AD), I checked its documentation and some code samples, then I knew that Azure AD B2C have some of features which suits my requirement,
NOTE - I only need MFA feature from Azure AD B2C,
I tried this sample code provided in official docs, https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-spa
But I have some of queries:
1) Is there any service in Azure B2C, which can directly provide MFA facility to integrate, without need to register users in Azure AD?
2) In Azure B2C, can I control user flow with information of my website? So that email and phone number will be of my website during user flow. (I am asking about this because according to my plan I am going to integrate it after login process in my website)
3) There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
4) From where can I decide, which type of user will be registered? because the code which I have tried, doesn't mention about user type, (Actually I want to know that is there any param or option in user-flow, which can decide type of user, which will be registered through this flow)
Any help or suggestions will helpful for me,
Thanks in advance,
1. Is there any service in Azure B2C, which can directly provide MFA
facility to integrate, without need to register users in Azure AD?
Yes you can restrict new user to sign and sign up using MFA. For that need to enable MFA. Its global MFA for all.
See the screen shot below.
Note: You can also implement MFA for each individual user.
See the screen shot below for Individual MFA
Once you implement MFA you would be prompted to verify your phone
number like below
Note:
For Testing MFA Userflow need native application on application
drop down
See the screen shot below
2. In Azure B2C, can I control user flow with information of my
website? So that email and phone number will be of my website during
user flow. (I am asking about this because according to my plan I am
going to integrate it after login process in my website)
Yes you can customize your user flow. You can add new user flow according to yours.
To do that, Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C
Then In the left menu, select User flows, and then select New user flow
See the screen shot below:
3. There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
In short Work account has the more privileged in B2C tenant as the official document says. As consumer account cannot access some resource on portal. For accessing Microsoft Graph API Guest user has some restriction even on azure portal.
Note: As per your requirement I would suggest you to go with Work account which has some benefits while you would access Microsoft API
Though the account type mostly depend on your business needs but Work Account more useful comparing all aspect.
Let's say, If you want to add some user those who already registered some other organization but you need to add them in your particular application privilege. So need to add user as Guest privilege.
4. From where can I decide, which type of user will be registered?
Tough the question is bit confusing as I said earlier it would depend on your business needs. Work account usually best for tenant user. So when you feel within on your tenant if new user need to add so go with Work account. Once you specify your need it would definitely easier for you which kind of user you need to add. There is no such reference which can explain well upto to now.
Note: You could try adding all the user type to check how the user account behave using portal and accessing resources.
I'm using Azure AD B2C for my ASP.NET project. I want to use Multi-Factor authentication. Normally, after the sign-up, the user is redirected to the page to verify his phone number. I want to change this flow, I want to enable multi-factor if the user choose in a custom dropdown attribute 'Notifications' SMS, the other options are Email/No.
How can I redirect to this Multi-Factor page/Enable Multi-Factor depending on a value of a custom attribute.
Well, fortunately, the Azure B2C is quite a flexible tool and does exactly what you're asking for. You're free to define custom policies, attributes and user flows (this one is in preview state though). For your case, if you're the one who manages the tenant, go to B2C instance and select 'User flows (preview)' blade. Create a User attribute beforehand. Configure the flow as necessary. Complete configuration by running the user flow. More on the issue can be found in quite exhausting MS article here.
We are looking into Azure AD B2C as a general identity management solution for our SaaS services.
One scenario we need to support is around distribution of pre-paid (stored value) payment cards, sold in stores or offered by other 3rd parties to customers. The customer gets the card with a PIN or one time registration code, and with that they can sign up to the cardholder portal, a web application / native app that allows them to view card history, balances and so on.
The sign up process needs to eventually identify the card as a custom claim, but also needs to validate the supplied code right there and then. The user needs to be able to go to the cardholder portal, click 'sign up' and be presented with input fields for the basic info plus the PIN/ reg code. On submit, the PIN/reg code needs to be validated.
Can Azure AD B2C support this type of scenario? Can the UI be completely custom? Are there any pricing implications to this? Also....is there anyway of having the native version of the app have a completely native version of the UI?
I believe you can configure this type of validation for new users signing up using Azure AD B2C Custom Policies. Custom policies allow you to define your own policy rather than using the built-in set. Specifically for your case, you'll be able to validate user data given at sign up with your own API.
Fair warning, custom policies can be complex to configure properly.