Azure AD B2C detecting Social signups on the reset password page - azure

I need to check emails being entered on our "reset password" to see if the user used a Social IDP to sign up. I would then be able to inform the user that they cannot reset the password for that type of account through Azure.
At the moment it only tells them that we cannot find their account, I can change the messaging here but it's not sufficient in this case.

If you use a social IDP then:
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
So look at the "authenticationSource".

Related

Store "email" in contact info during registration - Azure AD B2C Custom policy

I've a custom policy for sign up & sign in and, in the last step, I ask the user to enter the email, where I send a verification code and verify the code (following one of the examples provided by Microsoft). However, I'd like to store, in the "contact info" the email that the person entered.
I tried multiple ways using "PersistedClaims", but it doesn't seem to work.
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
</PersistedClaims>
I got no error when I load the policy, but when I sign up, I still don't see the email in the Contact Info inside the user's profile in Azure AD B2C.
I believe that I'm using the wrong claim, but I couldn't figure out what it the "Contact info -> Email" claim.
Please, could someone tell me which claim and how to store it?
Thank you
Change “email” to “mail”.
Change “signInName.emailAddress” to “signInName” (if this is during sign up)

Azure B2C Azure Active Dicrectory retrieve email in token using policies

I have an Azure B2C tenant I'm setting up using policies and I'm facing the following problem. One of my social providers is configured as an Azure Active Directory but, when getting the token, the email is not included.
I have other providers like Google or LinkedIn where I've been able to collect the email using these OutputClaims inside the TechnicalProfile of each ClaimProvider.
Google
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
LinkedIn
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="elements[0].handle~.emailAddress" />
I'm wondering if there is a similar approach to what I need but the Azure Active Directory provide offers an email's PartnerClaimType.
I checked the doc for this kind of provider but found nothing. I checked as well the optional claims set and the email is mentioned but got no clue how to make it work.
Thank's for your time!
Try
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="unique_name" />
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#claims-in-an-id_token

Azure AD B2C - include mobile phone number used for MFA in id token

I'm using Azure AD B2C.
I've created a Sign up v2 user flow with multifactor authentication enabled. When I run the user flow and go through the sign up process including MFA via SMS to my specified mobile phone number, I'm returned to the reply URL that I've configured - jwt.ms.
The id token has return claims including my email address as well as other attributes that I've configured to return, but nothing regarding the mobile phone number used for MFA. There doesn't appear to be a way to configure the user flow to include this in the return claims. Does anyone know if this is possible and if so, how to do it?
Cheers.
The phone number is read from and written to the strongAuthenticationPhoneNumber property of the user object.
Currently, this property is not available to a built-in policy (i.e. a user flow), but it is available to a custom policy.
If you use the custom policy starter pack for MFA, then you can add the strongAuthenticationPhoneNumber claim, as an outgoing claim in the ID token, as follows:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
...
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" PartnerClaimType="phone_number" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>

How do i include email in the redirect to AZURE AD B2C

I have set up an Azure B2C tenant and used custom policies to add azure ad as an IDP so that users can sign up with their domain accounts. I can build a custom page where ask them for their email and then redirect them to the proper policy(one for work domain accounts and another for personal emails), so that they do not have to make the choice between work and personal emails. The problem is that I do not want to make the user enter the email once again. Is there a way/option to do this? I basically want to achieve something similar to what the common endpoint of Azure AD does for all accounts.
For a custom policy, if you add the "login_hint" query string parameter to the OpenID Connect authentication request, then you can default the login field to this login hint by adding the "DefaultValue" attribute to the "signInName" input claim for the "SelfAsserted-LocalAccountSignin-Email" technical profile as follows:
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<DisplayName>Local Account Signin</DisplayName>
...
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
...
</OutputClaims>
...
</TechnicalProfile>
The "DefaultValue" attribute references a claims resolver that sets the "signInName" claim type to the "login_hint" parameter of the OpenID Connect authentication request.
See the Set up direct sign-in using Azure Active Directory B2C article for more information about passing the "login_hint" query string parameter.

Azure AD B2C Add Claims to id_token in custom policy

I have created custom policies for social and local accounts based on the example from the Active Directory B2C custom policy starter pack for social and local accounts. I have enabled the login with Microsoft and Google and tested that both work, I have also enabled logging in with a local account.
When I log in with google I get the following claims
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,email,given_name,family_name,name,idp,at_hash
When I log into a custom Azure AD tenant the set of claims is missing 'email', but the email is listed in the 'name' claim
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name,family_name, name,idp,at_hash
When I log in as a local account the set of claims is missing 'email' and there is no email listed in any of the fields.
exp,nbf,ver,iss,sub,aud,acr,nonce,iat,auth_time,given_name, family_name,name,at_hash
Finally, when I look at the list of users in the B2C admin, these are all different user entries...even though the email address is the same. So I have 2 questions,
How do I get a consistent set of claims in the id_token
How do I link all these accounts together at registration time (Same UPN)
I believe these may be related, which is why I am asking them together.
You probably want to see the policies, but I assure you they are exactly the same as the policies in the starter pack, all I've done is change the tenant names and added google and azure in the trust framework extensions file.
For the Azure AD email claim, add the following <OutputClaim /> to the Azure AD OpenID Connect technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="unique_name" />
For the local account email claim, add the following <OutputClaim /> to the AAD-UserReadUsingObjectId technical profile:
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="signInNames.emailAddress" />

Resources