How to tune PasswordReset custom policy - azure-ad-b2c

I am newbie in azure ad b2c custom policies. Currently I am trying to understand is it possible to redefine LocalAccount PasswordReset custom policy from starterpack in the way as on the picture:Desired journey
Requirements are
1st screen: exclude separate SendCode button making Continue button responsible for both: sending code and moving to the next screen if the code was sent;
2nd screen: lock email, provide VerifyCode field, Continue button responsible for both: verifying the code and moving to the next screen if the code was verified;
3rd screen: standard screen with newPassword, reenterPassword and Continue button as in the starterpack
I really hope you can help

• Yes, you can surely create the password reset setup as you desire in the diagram attached in your post. For this purpose, you will have to edit the ‘Trustframeworkextensions.xml’ file with that given in the link as below: -
https://github.com/azure-ad-b2c/samples/commit/7669af06637550739e845b7ad42211a3a412658d
In the link above, the ‘SplitEmailVerificationAndSignup_TrustFrameworkExtensions.xml’ file must be uploaded and used in the Azure AD B2C Identity Experience Framework custom policies list. In this file, you will have to edit the ‘Technical Profile’ section with ID ‘LocalAccountSignUpWithReadOnlyEmail’. In that, you will have to remove the ‘OutputClaim’ for ‘objectId’, ‘displayName’, ‘givenName’, ‘surName’, ‘newUser’ and ‘authenticationSource’ from the said ‘TechnicalProfile’. Else, let all other details be the same and then upload the policy and try testing the user flow. It will give you the same result screen as expected by you.
Also, ensure that the ‘SplitEmailVerificationandSignup.xml’ file is also uploaded such that the references for other policy files are found correctly.

Related

How to add a link to offer an alternate route in Azure B2C custom policy

I've followed one of the provided samples to add TOTP multi factor authentication supported by a phone app:
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
I'm therefore able to offer users the ability to enter a TOTP code:
One of the things I'm considering is ensuring users still have access to their accounts if something goes wrong during the TOTP MFA process which we're using by default. I'd therefore like to be able to add an extra link to this page to send users through an alternative MFA route without successfully completing this one in case they encounter issues: "send a code via email instead".
As far as I can tell, the B2C screens expect users to only go forward through clicking continue. The best alternative instead of a link I can think of is a checkbox which sets a boolean claim to enable an email MFA OrchestrationStep. I find this a little less user-friendly than a simple link though as it adds an unnecessary extra click.
Ideal user flow:
Login --> Display TOTP MFA screen --> Enter MFA code OR click link to go to email MFA screen
Any help's appreciated!
This sample demonstrates how to use a display control to provide multiple options (Email or MFA) for a user to continue:
https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-via-email-or-phone
You could use the same idea here, except instead of invoking the MFA technical profiles as part of the samples display control, you can invoke the call to the REST API technical profile to verify the code.
You will need to use some CSS/JS to make the page look nice so users can toggle what option they want to use.

Azure B2C EditProfile custom policy without Signing In first

Right now the ProfileEdit.xml file that comes with active-directory-b2c-custom-policy-starterpack asks the user to sign in before actually letting them get to the Edit Profile page.
The use case I'm trying to accomplish is a little bit different. The user is already signed in to the app and there's a button Edit Profile that when clicked will take the user to the Edit Profile page. That is, there should be no Sign in again.
My app allows the user to sign in using: Facebook and Local Account Signin. The custom ProfileEdit B2C policy should know which one the user used to login and just redirect the user to the ProfileEdit policy directly.
I tried messing up with the ProfileEdit Technical Profile but the mods I did didn't work.
Can anyone more experienced with Azure B2C custom policies let me know how to achieve this?
This is normal, imagine someone got to the profile edit link and bookmarked it. Then logged out. Then launched profile edit -> you need them to login, otherwise things break.
So this is actually working perfectly already, just that you will get Single Sign On, such that once you have used the Sign In journey, the Profile Edit journey will skip the sign in step.
You can test it like this:
1. Open a new browser, and use the sign in journey, login and complete.
2. Open a new tab, and paste the Profile Edit link, remove the prompt=login query parameter.
3. Execute the link, you are taken straight to modifying your profile page, rather than seeing a sign in page.

Azure AD B2C - Change application in Sign-Up/Sign-In policy

I have an existing Sign-Up/Sign-In policy and I want to change the Application that is associated with. When I select the new Application that I want in the drop down the change does not get saved (ie. it reverts back to what it was previously. I don't see a save button either. I've tried editing the policy and hitting the save button in that window as well as pressing the Run now button but no luck. Am I overlooking something?
The B2C Policy run screen does not save your last known run profile. This page is to test your policy, and as such will reset all application, domain, reply URL etc settings each time.
Policies can be run against all applications.
The run now screenshot you have demonstrates this.

Using enter key to signin a user when using custom policy in Azure AD B2C

In the default signin policy, an Enter keypress triggers the actual signin action. However, when I create my own custom policy (using the selfAsserted-form as a basis, it doesn't work. With the custom policy, the user needs to either click the Continue button or use tab to move focus onto the button and then press Enter. Everything else works just as I'd like it to, but this seems like such an inconvenience.
Any idea why this might happen? Has someone else encountered this and found a solution?
This would be easy to fix manually, if it was
possible to include custom JavaScript code in the "template" HTML file that the Azure AD B2C injects the policy-complying form into. However, this doesn't seem to yet be possible either (as stated here ).

Azure AD B2C Custom Edit profile page

I'm working with Azure B2C from a MVC (4.6) WebApp. I've followed this guide to make it work and it's all good:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet
However, regarding the Edit Profile Policy, I need custom values coming from another system for a specific User profile property (i.e: Favorite Categories, coming from a custom Categories table). I don't want to add all the possible categories to the User profile property settings in the Azure portal, cos values can change frequently. So, couple of questions:
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
The only approach that seems will work is to call the Graph API from code, following this article (but it requires to register another App from PowerShell, and also, execute the action with an App Token, instead of the current logged user):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any help would be very appreciate it.
Thanks a lot.
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
No. All the users use the policy you config on the portal. We can create multiple profile edit policy and choose the right policy based on you business with custom code.
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
No. It is impossible. As you mentioned, if you want to update the users profile programatically, the Azure AD Graph is recommend.
you not able use JS, but you able customize with css;
(enable cors to ms login domain on your web app etc)
see msdm docs all are desribed;
you able add custom properties in AD B2C to user sign up; so to edit profile should be possible too;
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization

Resources