I have tried following this guide for setting up custom policies: Tutorial: Create user flows and custom policies in Azure Active Directory B2C.
But with the LocalAccounts only sample files. When running the custom policies it fails with a very generic error message.
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
What I would really love is either:
A guide for setting up LocalAccount custom policies with SendGrid integration or
A SendGrid integration for the UserFlows (kept simple, supply API key and template ids)
You should enable application insights logging to better understand what's going on: https://learn.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-with-application-insights?pivots=b2c-custom-policy
About SendGrid, there is a tutorial for it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid?pivots=b2c-custom-policy. You can't use SendGrid with USer Flows but only with Custom Policies.
In the pre-requisites of that doc, you can use my IEF Setup Tool, which autoamtes the article. If you select the "Remove facebook" option, you will deploy the Local+Social+MFA starter pack with the LocalAccount journey. This keeps all dependancies available if you change your mind later on.
Then you can test the policy from the Azure Portal:
Create an app registration with https://jwt.ms as the reply url and implict flow enabled.
Test the policy.
Custom email providers doesnt work for User Flows, you require Custom Policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid?pivots=b2c-custom-policy
Related
I'm looking into implementing the add password change policy for my SPA. It all seems straight-forward, but I would like to trigger the password change popup from my React code which is using the msal-browser library. In the mentioned tutorial, in the Run the policy section, there is no indication on how to trigger this from the application. Any ideas?
You can configure the authentication in react SPA by using Azure AD B2C policy as mentioned here.
In this sample, you can configure the password change policy in similar way as profile edit.
In Azure AD B2C when a user clicks the "Forgot/Reset" Password, B2C redirects the user back to the Relying Party (web app), with the following error:
AADB2C90118: The user has forgotten their password.
Correlation ID: 124dd908-e181-408f-a363-ecbd46aa9d8e
The Web App (RP), should read the error code and react by redirecting the user back to B2C specifying the PasswordReset policy to be used. This is by design and it's documented in the official AAD B2C docs.
In our case, we have many web apps sharing the same Custom Policy (SUSI and PasswordResest), to offer a common login experience.
I would like to pick/configure the PasswordReset policy directly into our Custom Policy for sign-in. I'd like to avoid the user getting redirected back to the applications and then the apps deciding what PasswordReset Policy to use.
Is this possible to achieve in B2C?
As far as I know it is not. The only proper way to handle is doing it via the application, as you already described and also according to the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
However, depending on your implementation and overall landscape of your identity setup, you may try using a "trick" - create a custom UI HTML template which will include an URL to the password reset policy of your choosing (static URL in the template) and hide (or disable if you use custom policies) the original "Forgot passoword" link which returns back to the app to handle. Attach that template to the policy - https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
This might not work or be suitable for every setup though. You may get an unexpected behaviour in the app if you open a policy and then the flow ends in a different one. I myself consider that a rather bad practice and discourage people from using it where I work. But if you really need to have something like that you may consider it.
Yes, it is possible.
"By default when you create a sign-up or sign-in policy (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset policy. Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset policy.
This policy demonstrates how to embed the password reset flow a part of the sign-up or sign-in policy. So, Azure AD B2C will not return the AADB2C90118 error message".
Starting from March 2021, the "Self Service Password Reset" is the recommended option. The previous method described in my original post is not considered legacy.
Self Service Password Reset Official Documentation: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
Essentially, what I asked above not only is possible now, but it's also the recommended approach.
What I am testing
In order to force MFA, I created a very simple Azure conditional access policy:
User and group: all users
Grant: requires MFA
What I get
But this rule never applied.
What I did
I tester from WhatIf tool and from running Connect-AzAccount either.
When testing I discovered that if I apply:
Cloud apps or action: Office 365 (or whatever)
This time whatIf is triggered.
My question
Could anybody explain me this behavior? What I should do this?
Thanks
after watching your question, I started testing MFA in my tenant. I followed this document and it worked finally, and hope it would help you.
I created a test tenant for this scenario, and in azure ad, I need to disable Security default first, this doc show the operation.
And according to your description, it seems that your configuration didn't work, I assume that you may miss some steps. When adding Conditional Access policy, you need to add policy name, then choose affect scope(users and groups), select Cloud apps or actions(e.g. choose Microsoft Azure Management so the policy applies to sign-in events to the Azure portal), and you need to check the box for Require multi-factor authentication under Access controls->Grant.
Here's my configuration. And when I signed in azure portal with test user, it asked me to use phone to prove myself.
Am trying to combine azure b2c and sendgrid to send a custom verification code email using SendGrid.
after performing the steps mention the reference link below, am getting an error saying
Basic credentials specified for 'SendOtp' are invalid. Check that the credentials are correct and that access has been granted by the resource.
reference link
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid
Stuck for entire day. any help would be appriciated.
Thanks in advance.
This may not be exactly the answer to this situation, but other times when I had the same message, it was exactly what the error said - wrong creds (username/password/token)
Azure SendGrid setup incorrect
Azure requires you to setup the SaaS solution called "Twilio SendGrid".
Did you follow the guide and did you set this up correctly?
Azure creates a SendGrid account from the portal itself, and only when that is configured correctly, it'll make a valid connection.
Wrong permissions on API key
Also make sure your SendGrid API key has the correct permissions to execute the actions you wish.
Not defining policy key
Last but not least, make sure the your policy key with the SendGrid API key is defined in the Identity Experience Framework, near your custom policies.
I'm developing an application that incorporates the Skype for Business Online Web SDK. I've noticed that it is not possible to access information about the signed in user's Skype account/profile (via Skype's mePerson object).
The only way that I see to do this now is by having yourself as a contact and accessing information about that account/profile, via the Skype person object. This doesn't seem possible to me as it isn't feasible to set a requirement upon every client using my application to have themselves added as a contact on Skype for Business.
This issue is related to the one posted here, on the GitHub Skype Web SDK Samples page: https://github.com/OfficeDev/skype-web-sdk-samples/issues/1
My question: Are there plans to add the User.ReadWrite Permissions in Azure AD for an application extending Skype for Business? Or, is there a known workaround to retrieve the signed in user's profile/account information, which includes status, activity, or avatar/avatarUrl?
I've also posted this on the Microsoft Azure forums:
https://social.msdn.microsoft.com/Forums/azure/en-US/27d6ebdc-f023-4829-96dd-eefb9e1aaeaf/userreadwrite-permissions-in-azure-ad?forum=SkypeWebSDK
However, I've had no response so I'm also posting here in hopes of anybody having any input. Thank you in advance.
As you might have noticed from the issue link in GitHub, the permissions for the information you're trying to grab have been turned on in Azure AD.
You can plug in your Azure AD settings into the Interactive Web SDK to see it in action: https://ucwa.skype.com/websdk
Before you sign in, you'll need to do the following in the Azure AD management console:
Update your app to use the permissions in the image
Change your app's reply URL to this: https://ucwa.skype.com/websdk
Make sure you turn on OAuth implicit flow by modifying your app's manifest. Steps here https://msdn.microsoft.com/en-us/library/office/mt622687%28v=office.16%29.aspx?f=255&MSPPError=-2147217396 under "Configure your app for OAuth implicit grant flow"
Paste your app's Azure client ID into the "Client id" field on https://ucwa.skype.com/websdk
After you sign in, you'll notice one of the examples in the left hand navigation will let you view the signed-in user's presence, ID, etc.
I've also created a forked version of the Web SDK samples that you can easily update with your own Azure AD settings and deploy to your localhost. You might find this more useful for playing around than the hosted Interactive Web SDK.
https://github.com/tamhinsf/skype-web-sdk-samples