I'm trying to authenticate a user and I made a azure active directory.
It was logging in with a code but now does password. I want it to use a code for login, how do I fix it to this setting.
Related
In short: how to set up Azure B2C to pre-create users and invite them to set their initial password (rather than reset it).
We have public facing website that an organisation can pay for and it gives them access to their own area. We add one or more user's email addresses to our database to grant them a login. Privileged users at the organisation can invite other users to grant them access to their organisation's area.
We wish to move our authentication, session and password management from a home grown solution to Azure AD B2C.
A new user currently receives a friendly invitation email with a hyperlink that contains a token that gives them permission to set their password.
We could create a custom policy to handle this but I really don't want to go down that route due to their complexity and shelf life.
The only way that I've found "out of the box" is to create the user in Azure AD (not problem with that), set a temporary password and email them an invite asking them to "reset" their password. The reset part is very unclean as they are not resetting their password, they are setting their initial password and this will be confusing.
Also note that we do not want the user to be able to change their email to something like a hotmail account, as the admin must be in charge of this to ensure they use their work email.
All help appreciated.
Andy
• In your scenario, I would suggest you configure an application registration in Azure AD B2C and configure user flows in it for resetting the password for every user logging in it. Also, while registering an application in Azure AD B2C, you can select the option for ‘Accounts in this organizational directory only (Default Directory only - Single tenant)’ and integrate it with your website in the frontend API such that the user flow to reset the password after verifying the email address comes up for every user.
For the above said configuration, kindly refer to the below documentation link for more details as it describes the configuration for registering users of a single tenant/organization: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
Also, refer to the below documentation link for resetting the initial temporary password using the user flow section as setting up a user flow is a very simple process as described below: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow
Quite new to B2C and have setup custom policies which did seem to be working ok.
Since adding the reset password functionality: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
I have found that local user accounts can sign up and it will sign them in but will not let them log in again.
Same happens for resetting the password. It all goes through the user can log in and then on next login it doesn't accept the creds.
B2C audit logs shows the password reset as a success... not sure what I am missing?
EDIT: I checked on another tenant I was testing on which I had not setup the password reset yet and have the same issue with local user account creation.
The only piece that is different to the examples is that I have multi-tenant azure AD idp setup.
Any help will be much appreciated
Sounds like you did not complete the setup for the proxyief and ief app registrations correctly. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Delete your proxyief and ief app registrations, then use my tool to reprovision them: https://aka.ms/iefsetup
After reprovisioing, test after a few minutes.
It will overwrite your custom policy files, so download them back and setup the AAD multi tenant technical profile again afterwards.
Application ID's needed to be added to the technical profile of trusedbaseextensions file for non interactive logins.
Application ID's for both app registrations mentioned.
I'm trying to use the Graph API to change the user of the currently logged in user on a B2C tenant.
The request is being posted to:
https://graph.windows.net/me/changePassword?api-version=1.6
The JSON being provided is in the following format:
{"currentPassword":"[currentpassword]","newPassword":"[newpassword]"}
Unfortunately I keep on getting the following error and I don't know why (or rather I don't know why it would have problems using the 'me' alias). I have also tried including the tenant name with regards to where I'm posting the request but this makes no difference.
Resource not found for the segment 'me'.
I have managed to change the password by resetting it. The issue with that however is that the password can be changed without providing the current password. Ideally I would like to get the user to have to enter this as part of the process of updating the password. It turns out that the missing 'me' issue is probably down to missing permissions.
I've tried adding the 'Access directory as the signed in user' permission as a delegated permission to the app. I get to this page:
Note that I also has to set the sign-in url to http://localhost/testapp/ and the app ID URI set to https://patrickscorp.onmicrosoft.com/testapp as the classic portal refuses to save changes if these two settings are not set.
Under 'permissions to other applications' I clicked on 'Add application' and then selected 'Windows Azure Active Directory'. I then made sure that the 'Access directory as signed in user' was selected.
However saving just results in the following error appearing:
Clicking 'details' doesn't help - it just says if the problems persist to contact
support
If I have to go down the reset route then is there a way of taking a password provided by the user and validating it?
Calls to the Azure AD Graph requires the tenantName in the path, like so:
https://graph.windows.net/mytenant.onmicrosoft.com/me/changePassword?api-version=1.6
This is in contrast with the Microsoft Graph which doesn't require it as it infers it from the user token and is called like so:
https://graph.microsoft.com/v1.0/me/changePassword
However it is important to note that at this time the Azure AD Graph is recommended for Azure AD B2C.
EDIT:
As per the Azure AD Graph Reference for Change Password:
Call the changePassword action for the signed-in user to change their own password.
Note: This action can only be called on the signed-in user.
If you want to change some other user's password, you'll need to use the Reset Password:
https://graph.windows.net/mytenant.onmicrosoft.com/users/{user_id}?api-version=1.6
I created Active Directory in Azure. I created new user (as global admin) with *#*.onmicrosoft.com login. User gets assigned temporary password, that has to be changed on first login.
User is created so that I can use it with Azure AD Connect, to connect on-premise domain with Azure. Until password is reset, it is considered as expired.
Where can I login with that user to reset password?
Please login into Azure Portal as that user. As a part of the login process, the user will be asked to reset the password because the user is logging in for the first time.
I have an Active Directory object in Azure that has a native client application.
The application has all the necessary permissions to be accessed by the Service Management API.
In the AD directory, I have 2 users added. One is the account I was logged in as when I created the directory object. This account was added automatically when the directory was created. The other is one that I manually added after creating the directory object.
So, in the example below, Account 2 was the account I was logged in as when creating the directory. Account 1 I added manually.
When I try to retrieve an access token from the oauth2 endpoint with Account 2 credentials, I get the error:
AADSTS50034: To sign into this application the account must be added to the REDACTED directory.
The account is clearly added to the directory, however.
Furthermore, when I use the credentials for Account 1, I am able to successfully authenticate.
The only things I'm changing in my script are the username and password. The client ID and tenant ID remain the same.
Why am I getting the error above when the account I am using is clearly a user of the directory?
I found the answer in a different thread.
If I'm understanding it correctly, it seems like automated sign-in can only be done from an account sourced from Azure Active Directory, and not from a Microsoft account.
Link to answer
you can log-in with account2 also. You need to provide the directory name in the Sign-in context as the input. Accordingly, configure your "Startup.Auth.cs" in App_Start.
Account1 has the directory name or the custom domain name in the username with the help of which the Azure log-in gets you signed-in against. But, with account2, you have Microsoft account directory where your application is not registered.
Hence, you get the error.
Use this link for better concept. This sample code has used the sign-in for Azure AD user as well as Microsoft account user as in your case.