Azure B2C User Flow SignUp/SignIn with Email/Number.
Requirements:
SignUp with Email/Phone:
while signing up when user click for registration its shows already email/phone number exist but we are looking when user have already have email then it automatically move to login flow.
SignIn with Email/Phone:
while user click on the signin if user not exist then it automatically navigate to the signup page so user dont need to manuly go for signup
Forget Password with Email/Phone:
With the Email/Phone number signin/signup flow there is missing the reset password policy to change password and there is only showing the change phone number option.we need to reset the user password
There is missing the Cenel icon on the phone number signup flow.
I did reproduce your scenario and found that there is currently no prebuild option or system in user flow of Azure AD B2C that when user try to sign and if it has not already signup will redirect to signup page and vice versa.
Azure AD B2C offers various sign-up and sign-in options for users of your applications:
I did Configure my Azure AD B2C local accounts to allow sign-up and sign-in with using email address. There are also other ways with username, phone number, or a combination of methods.
For Forget Password with Email/Phone enable the self-server password under the properties of your created user flow.
Please follow this GIF for apply for Forget Password with email and attribute which I have set for my userflow.
I have shown the demo how my user flow is working please check this GIF as well.
I have redirected my webapp to https://vikashgaurav.com/portfolio/ after successful signing.
Reference : https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow
Related
I have web application and created User Signin_signup user flow for user sign up process, but while user signup email verification code is asking for next process.
I want to disable the Email verification while user Signup on Azure AD B2C Tenant.
Refer this.
Basically:
Select User flows.
Select the user flow for which you want to disable email verification.
Select Page layouts.
Select Local account sign-up page.
Under User attributes, select Email Address.
In the Requires Verification drop-down, select No.
Select Save. Email verification is now disabled for this user flow.
I tried to reproduce the same in my environment to disable the email verification
*In order to disable the email verification while user signup process, follow the below steps.
Azure Portal > Azure AD B2C > User Flows > B2C_1_SigninSignup > Page layouts > Local account sign up page.
once update the changes, try to create a user account, like below.
Azure Portal > Azure AD B2C > User Flows > B2C_1_SigninSignup > Run User Flow
Email verification is disabled while user signup process.
I am implementing a passwordless signin experience for local B2C account users with MFA credentials through Azure B2C custom policies. I am using AzureMfaProtocolProvider with a custom attribute stored phone number as an sms MFA option, and OneTimePasswordProtocolProvider with a custom attribute stored email as an email MFA option. When I initiate a login, the first step us username retrieval. The username is used to read the mfa options from AD and then presented to the user as options. Once they select an option, a code is sent and they must successfully validate the code from one of the MFA options to issue a token to the application. This works great, however I noticed that Active Directory does not store and log a "sign in" in the signin logs (https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins). Per the document, MFA challenges should generate a signin log but it seems that MFA challenges with these protocol providers (AzureMfaProtocolProvider/ OneTimePasswordProtocolProvider) are not sufficient.
I am concerned that we will miss inherent Active Directory risk tracking without "sign ins" being generated. I am also operating with a business requirement to see those logs generated for auditing purposes.
As a work around, I am adding a psuedo password to user accounts on creation and then faking a login with the "login-NonInteractive" technical profile, which validates the credentials in AD using OIDC. This successfully generates a signin log but it seems hacky. My question is what is the recommended approach to generate a signin log in Azure AD with a passwordless solution?
what is the recommended approach to generate a signin log in Azure AD with a passwordless solution
For this scenario, you can implement magic link in this web application user can click login button and then user is redirected to identity provider in azure ad b2c.
Now in custom policy page user can select the magic link option to authenticate and user has to provide the email address and continue azure ad b2c will send a request to magic link web application and then this web api responsible to generating the magic link which we sent to the user mailbox.
For more information in detail, please refer below links:
samples/policies/sign-in-with-magic-link at master · azure-ad-b2c/samples · GitHub
https://github.com/azure-ad-b2c/samples#multi-factor-authentication-enhancements
I am struggling to get my head around how to implement a custom policy for the following flow:
User lands on the login page and that login page only contains an email input.
User enters email address and clicks continue
if user has already registered
Redirected to their selected login provider (Google, Microsoft Account or Local Account)
if user has not registered before
Check google provider if a user account exists for that email address
if Google account exists
Redirect to Google login
Check Microsoft provider if a user account exists for that email address
if Microsoft account exists
Redirect to Microsoft login
else
Redirect to registration screen
User completes registration screen
User is automatically logged in
The user
I've investigated whether this can in fact be done and I've found a "digital workspace for visual collaboration" (a.k.a Mural.co) that does in fact implement a similar flow, so this has to be possible. See the pictures below.
I'm, however, unable to find information on
how to query the social providers for account existence
how to go about creating this complex type of flow in Azure AD B2C custom policies.
Any pointers in the right direction would be greatly appreciated
Not possible. Nobody would allow you to probe a social IdP for an email. Data protection etc.
Reference our samples and wiki
Your sign up would be from our default sign up journey.
Your sign in flow could work like this:
Request for email
Read the directory to see if an email exists
If email exists, send the user to the IdP they used to sign up. You can do that by looking at the “issuers” registered on the userIdentity object,
If email doesn’t exist, send the user to the combined sign in and sign up page (technical profile) where they can sign in with social or sign up with a local account. Hide the sign in elements with CSS.
I have created an Azure app. After granted by user(once in lifetime
), it fetches the users outlook mailbox data with help of accessToken. The Microsoft account is part of my org which uses SSO. So, if i am pre logged in via SSO in browser, how can I get rid of the un-neccesary login screen, which comes pre-populated with my email id, and I only have to click to choose the user account.
How could i remove that login screen from this flow?
You can specify login_hint=user#domain.com with the username in the authorization URL to tell AAD which account the user could use. If they are already signed-in, it won't prompt the user to select the account.
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..