I would like to create logical tenants of users with B2C by appending an account number to their username. So the user might conceive of their username as Bob, but I would be appending their account number to it (e.g. Bob1234). Are there any known hooks to transform the username entered by the user before authenticating?
You need to use a custom policy. https://aka.ms/ief
Before writing, reading and verifying credentials, use a claims transform to append the account number to the username:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#formatstringmultipleclaims
Related
I need to configure a SignIn (no SignUp) custom policy on an AAD B2C tenant, but I'm lacking the experience of the IEF to design/develop and test it properly. The policy should read (logically) as follows:
Present UI to user to enter email only (using a self-asserted TP?)
Use custom logic to determine whether the user represents a local account or to any of the known clients of ours. A single client could have multiple possible domains to be authenticated in the same IdP. The only option I know for doing this step is an external REST service, but this is something I would like to avoid if there is any other option to include custom login running inside the custom policy engine, using C#, JS, or event a simple dictionary from email domain to IdP domain.
Depending on the IdP automatically selected in step 2, branch to different journeys where the user will be sign-in
For local-account sign-in journey, the user will need to use MFA if he/she belongs to admin group. Only email, DisplayName, FirstName, LastName and UserId are needed as final claims.
For other IdPs I would have to add ClaimProviders and sub-journeys to allow for signing the users in
Finally the JWT Token should be issued to the relying party.
No storing back to AAD storage is required because there is no sign-up process. User are created from the application and invited (if local account) or already exist in their corresponding IdPs.
The wording you should look into is "home realm discovery".
There is a custom policy example on GitHub. However this example requires the application to provide the email hint. You need to extend it in a way that captures the email in a self-asserted step.
For scenarios where you need to implement a sign in journey, where the user is automatically directed to their federated identity provider based off of their email domain. And for users who arrive with an unknown domain, they are redirected to a default identity provider.
In this example, users who enter an email with the suffix contoso.com, they will be redirected directly to their federated identity provider to sign in. In this case that is Azure AD (SAML2).
Users who enter an email with the suffix facebook.com, they will be redirected directly to their federated identity provider to sign in. In this case that is Facebook (OAuth).
Where a user comes from an unknown email suffix, they will be redirected directly to a default identity provider, in this case that is Azure AD (OpenId).
This is another sample.
It first asks for the domain and then redirects to the appropriate IDP.
To add IDP, refer to this.
For MFA, start with the MFA starter pack.
Currently our team is struggling with propper architecture of Azure B2C solution for our multi tenant app.
Here is what we want to achieve. We want to enable users from certain Azure AD to authenticate. This is nicely described here with restricting tenants we want to enable.
We just want to enrich this solution with google authentication. We do not want to enable all users to be able to sign up. Is there a possibility to create google federated user programatically? We basically recieve list of emails from customer company and we create accounts in tenant). As far as I know there is no possiblity to achieve this using ms graph API when I don't have issuerUserId of user.
Do we have any possible solutions for this type of scenario? Like invitation email or so? Or maybe B2C is not a propper solution in this case.
Thanks in advance
A solution would be create the allowed users in b2c as a local account in graph api with accountEnabled as false and some generated password. Since the accountEnabled is false, user will not be able to sign in or reset the password as the default set of custom policies verify that attribute.
In the federated flow in custom policy,
Let the user complete federation.
Read the account using email address received.
If a local account exists, then link the federated account (Write alternateSecurityId to the account using objectId).
If a matching local account cannot be found, block the user by showing a selfAsserted page saying you are not allowed to sign up/in to this application.
You could also have some custom boolean extension attribute set to the local account to have an extra validation and update it's value once user completes the signup.
I need to create multiple user account in Azure AD B2C with unique usernames but same email address. The user logins with the username.
Scenario
I have an e-commerce b2b site.
A user reseller has an account on the b2b site with unique username and an email address.
The same user has another different account on the same b2b site with a different (unique) username but he has the same email address.
So you have:
account1: username is Username1 and email is matt#pippo.com
account2: username is Username2 and email is matt#pippo.com
For the password reset you need both the username and the email.
Is this scenario supported on Azure AD B2C?
Suggestions are welcome. Thanks in advance.
There is a method theoretically. This requires you to set up different account types for this email address. For example, if you have a gmail account, you can directly register to B2C as a local account, or you can configure gmail as a Identity providers, if you log in with gmail, this achieves two identical mailboxes but different account names.
However, this method is not recommended. This is equivalent to two completely different account types. If you require both account1 and account2 to be local accounts, then obviously this method will not work. Therefore, in summary, I don’t think you can create two different user accounts with the same email address.
This username sample already accomplished this:
https://github.com/azure-ad-b2c/samples/tree/master/policies/username-signup-or-signin
The username, or login identifier, is stored in the signInNames.username attribute. This has a uniqueness constraint.
The email is stored in the strongAuthenticationEmailAddress attribute, which does not have a uniqueness constraint. You could swap it for an extension attribute too.
We have a scenario where we need to integrate Azure B2C with one of our existing system, where the email is not a mandatory user field, we have only the mobile number of the user as a mandatory field. I am looking for ways to integrate azure B2C where i can give a username and an initial password for the first time, instead of email. And all the password reset scenarios will have to go through OTP or email, where it will be a users choice to give email to reset the password.
We are able to create the user through Graph API initially, but
stuck with creating a user-flow where it will ask the username and password instead of email and password.
You can choose Username as local account types when configuring identity providers for Azure AD B2C in the Azure portal. In your Azure AD B2C tenant, select Identity providers, select Local account, and then select Username.
Then you need to select Local Account again in your user flow.
I would like to use Azure B2C Active Directory and source users under local account as email (joe#some-email.com) and also as username (for example - joe123).
Within the portal, under local accounts in B2C, you can select either email or username and I cannot find a way to add both types of local accounts, appears it’s mutually exclusive between email type or username type.
Wanted to confirm, if there a way to configure B2C that works with both types of sign-ins where a user can provide any valid email no matter what the domain is and at the same time allow users to sign-in by just providing a username.
In case they are exclusive, is there a preferred solution that would allow both type of sign-in to coexist.
No, you cannot use both of them, as if local account set to use email then that email goes to username field inside user account. There is also email claim in user account profile. But if let's say you select local account with email and also select that claim again email will be asked once and only go to username field. Also email uniqueness will be checked only if it is used for sign-in. If you use username for local account sign-in then multiple users can be registered with same valid email