I used this documentation to override a forgot password link in singInOrSignup custom policy, and it works perfectly :
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
How can I please do the same things for Sign up now link to redirect to another custom policy that I created before?
That doc never sent the user to another policy for password reset. It just sends the user to a technical profile within the same policy. You can’t send the user to another policy through configuration of the custom policy.
You can rewrite the link using JavaScript using page customisation. Send the user to myapp.com/signup, do not link directly to another B2C policy,
https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-custom-policy
Related
I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.
When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.
To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:
Invalid username or password
I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?
Thanks,
Param
This is typical of incorrect setup of custom policies.
Delete the two app registrations: ProxyIEF and IEF apps.
Run the tool to set it up for you: https://aka.ms/iefsetup.
Test sign in works with the custom policy.
Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.
In Azure AD B2C when a user clicks the "Forgot/Reset" Password, B2C redirects the user back to the Relying Party (web app), with the following error:
AADB2C90118: The user has forgotten their password.
Correlation ID: 124dd908-e181-408f-a363-ecbd46aa9d8e
The Web App (RP), should read the error code and react by redirecting the user back to B2C specifying the PasswordReset policy to be used. This is by design and it's documented in the official AAD B2C docs.
In our case, we have many web apps sharing the same Custom Policy (SUSI and PasswordResest), to offer a common login experience.
I would like to pick/configure the PasswordReset policy directly into our Custom Policy for sign-in. I'd like to avoid the user getting redirected back to the applications and then the apps deciding what PasswordReset Policy to use.
Is this possible to achieve in B2C?
As far as I know it is not. The only proper way to handle is doing it via the application, as you already described and also according to the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
However, depending on your implementation and overall landscape of your identity setup, you may try using a "trick" - create a custom UI HTML template which will include an URL to the password reset policy of your choosing (static URL in the template) and hide (or disable if you use custom policies) the original "Forgot passoword" link which returns back to the app to handle. Attach that template to the policy - https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
This might not work or be suitable for every setup though. You may get an unexpected behaviour in the app if you open a policy and then the flow ends in a different one. I myself consider that a rather bad practice and discourage people from using it where I work. But if you really need to have something like that you may consider it.
Yes, it is possible.
"By default when you create a sign-up or sign-in policy (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset policy. Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset policy.
This policy demonstrates how to embed the password reset flow a part of the sign-up or sign-in policy. So, Azure AD B2C will not return the AADB2C90118 error message".
Starting from March 2021, the "Self Service Password Reset" is the recommended option. The previous method described in my original post is not considered legacy.
Self Service Password Reset Official Documentation: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
Essentially, what I asked above not only is possible now, but it's also the recommended approach.
I have a B2C directory and I have setup the branding for this directory. Apart from this, I have also added a sign in, sign up and a reset policy with custom templates. So far no issues. When I issue a challenge for the sign in policy the page is rendered based on the branding configuration. When I attempt to enter an invalid password, the error template is used.
Now, if the email address is known previously for the current user, I add a login_hint to the authentication properties, so that the user need not enter it in again. The email address gets populated in the email text box as expected, but the branding configuration is not used anymore!
Is this a bug?
PS: I added a sign up or sign in policy and I am currently using this policy to work around this, but would be good to know why this is not working (i.e. the sign in policy)!
Is this a bug?
Sounds like it but only the B2C product team could confirm this.
I added a sign up or sign in policy and I am currently using this policy to work around this, but would be good to know why this is not working (i.e. the sign in policy)!
The B2C is in the process of deploying version 2s of their policies. Can you try the Sign-in v2 Policy?
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..
I'm building a webapp that uses Azure AD B2C authentication. I'd like to implement a feature such that any new user signing up always lands at a specific controller action. How should I configure my policies to ensure this. For example /account/newuser should be invoked everytime a new signup policy is executed.
Also, if I have the [Authorize] attribute set for an action and a new user lands there, how can i ensure that the sign up, not the sign in policy is executed?
There is a built-in claim "newUser" that you can select in the 'Signup'/'sign-up or sign-in' policy that is made exactly for this scenario.
This claim will be returned only once after the user sign-up. You can inspect the claim once the user get redirected to your application and if this claim exists with a value of "true" then redirect your user to the specific controller.
In your Azure B2C directory, select your sign-up policy --> Edit --> Application Claims then check the "User is new" as in the image below: