Used build in policy to do signin and signup and username as login. As there is no build in policy to retrieve username so created additional custom policy for login singup and username retrieve , which is working , the problem is the username retrieve only works for username that are created through custom policy user flow and doesn't retrieve username that are created from build in userflow. any help will be appreciated.
You cannot combine both built in and custom policies. Built in policies are configurable from UI And these are predefined policies. You can combine two custom policies.
#rbrayb Thank you for sharing thread link the comment section.
You may refer this thread as well for some reference on combining custom policies.
Related
Currently our team is struggling with propper architecture of Azure B2C solution for our multi tenant app.
Here is what we want to achieve. We want to enable users from certain Azure AD to authenticate. This is nicely described here with restricting tenants we want to enable.
We just want to enrich this solution with google authentication. We do not want to enable all users to be able to sign up. Is there a possibility to create google federated user programatically? We basically recieve list of emails from customer company and we create accounts in tenant). As far as I know there is no possiblity to achieve this using ms graph API when I don't have issuerUserId of user.
Do we have any possible solutions for this type of scenario? Like invitation email or so? Or maybe B2C is not a propper solution in this case.
Thanks in advance
A solution would be create the allowed users in b2c as a local account in graph api with accountEnabled as false and some generated password. Since the accountEnabled is false, user will not be able to sign in or reset the password as the default set of custom policies verify that attribute.
In the federated flow in custom policy,
Let the user complete federation.
Read the account using email address received.
If a local account exists, then link the federated account (Write alternateSecurityId to the account using objectId).
If a matching local account cannot be found, block the user by showing a selfAsserted page saying you are not allowed to sign up/in to this application.
You could also have some custom boolean extension attribute set to the local account to have an extra validation and update it's value once user completes the signup.
I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.
When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.
To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:
Invalid username or password
I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?
Thanks,
Param
This is typical of incorrect setup of custom policies.
Delete the two app registrations: ProxyIEF and IEF apps.
Run the tool to set it up for you: https://aka.ms/iefsetup.
Test sign in works with the custom policy.
Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.
I used this documentation to override a forgot password link in singInOrSignup custom policy, and it works perfectly :
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
How can I please do the same things for Sign up now link to redirect to another custom policy that I created before?
That doc never sent the user to another policy for password reset. It just sends the user to a technical profile within the same policy. You can’t send the user to another policy through configuration of the custom policy.
You can rewrite the link using JavaScript using page customisation. Send the user to myapp.com/signup, do not link directly to another B2C policy,
https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-custom-policy
I am in the process of setting up Azure AD B2C and including an API connector in the profile creation. I use the policy Sign up and sign in from the user flows. Now I want to add a user attribute I created myself. This should not be visible under User attributes (the user should not fill this field himself) but should be filled by the API and returned under Application Claims and in the token. Is this possible with the user flows? Or is this currently only possible with the Custom policies under Identity Experience Framework?
Thanks for your answers
The way to do this with Azure AD B2C user flows would be to use JavaScript to hide the field so that is not visible to the user even though it is selected as an attribute in the user flow.
A similar approach is user to enable captcha while signing up as well in this sample - https://github.com/Azure-Samples/active-directory-b2c-dotnet-sign-up-user-flow-captcha.
Here is the official documentation for using JavaScript in user flows - https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout.
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..