When i read the documentation from microsoft for Azure B2C, it mentions that we can collect user attributes during the sing up flow.
I have a requirement where i need to get a input from the user during the sign in flow. Other than the username and password entered during the sign in, i need the user to enter another field.
Is there an option to do the above in the sign in flow?
You need to use a custom policy.
It will allow you to add any extra pages and/or logic to any journey.
Samples: https://github.com/azure-ad-b2c/samples
Another way of collecting user input (eg. an additional field in the sign-up form) during sign-up without using custom policies is as follows:
In the Azure B2C set up an additional User Attribute of the type String
In the specific sign-in flow require this User Attribute to be collected.
If needed, you can customize the wording and default values used in the form by supplying a language override in the specific flow.
Related
I have created custom policy for Interactive login in Azure AAD B2C
The Sign In / Sign Up works fine
However now I added Custom User Attribute in my B2C thru Portal, and updated so my custom policy also for "extension_UserRole" custom policy
However it is not showing in sign in as well as JWT , Below is my custom policy
https://github.com/menikhilmittal/policyb2c
Please suggest changes
Input claims are used to pre-populate fields.
You need to give the extension attribute a value (CopyClaim? from another attribute) and have it as an output in both read and write.
If an output in sign up e.g. it will create a text box that you can populate.
You have also used both email and login hint to populate it?
I want to, during the sign in flow, ask the user for additional input, which would be used as an inputClaim in one of the next steps of the user journey in a custom policy. The value does not need to be persisted. Ideally, it would be done in the sign-in window, but also could be collected from a separate window.
I am able to modify the sign-up window in this way, though not the sign-in one. Looked up in https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy, but this again describes only the sign-up scenario.
There is a similar question asked by #Zzehan-jurangpathy here Getting user attribute in sign in flow in Azure B2C, though no answer that would actually be helpful.
You can't modify the standard sign-in flow. It just allows username and password.
You can add an extra page by adding a self-asserted technical profile e.g. here.
I'm looking to create a custom policy in the following scenario
User is created in tenant by job that has custom attributes for users
case reference and Ni Number (i know how to do this)
User gets a sign in page. There is no sign up page
Sign in page has email, case ref, ni number that the user is required
to enter
sign in validation validates case ref and ni number against what is
held in B2C tenant
Looking at microsofts docs is baffling... whoever thought getting devs to edit and create the xml policy files was good idea beggars belief
Is it actually possible to validate against the info in the tenant through some sort of technical validation profile or something?
Create a self-asserted page with case ref, ni number etc. as output claims i.e they will appear on the form.
Add this page to the user journey after sign-in ("login-NonInteractive").
Read the user attributes ("AAD-UserReadUsingxxx).
You can compare the claims in the journey. Maybe easier to call a REST API to validate the information.
If good, send the JWT (the standard "SendClaims"). If not, display an error.
Is there a way to define the Display Name(label) and User Input type for the Sign up and Sign in user flow in Azure AD B2C out of the box?
We are having several custom attributes for which we need to set a user-friendly display name. However, the recommended Sign up and sign In policy doesn’t seem to support this out of the box. The Sign Up only policy has UI to define the Display Name (in Label). We can use two separate policies Sign Up and Sign In, but the later doesn’t support to select templates.
Currently there is no direct UI for Sign up and sign In policy and Sign In policy. You need to customize the label manually by editing the file.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-language-customization
https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-overview
I setup a password reset flow using Azure B2C and local Azure accounts that uses the user's email address and verification code. However, my client would like to have a password reset email sent to the user based on the user name, not email address. The user email would be looked-up behind the scenes and an email sent that would include a link to the password reset page as shown in the flow below.
After reading a gazillion articles on custom Azure B2C policies, I'm struggling to convince myself if it is possible to do what the client is asking for using Azure B2C.
In the sample password reset flow shown below, some of the areas I'm struggling with include:
Is it possible to create custom pages in the password reset flow such as the page in Step 4 that displays the user's masked email address, or the information page in Step 7?
Is there built-in functionality to look-up a user's email address and Active Directory Object ID based on their user name or would I have to call out to a custom Azure Function and use the Graph API to do this?
Is it possible to create and send a custom email that includes a hyperlink to the password reset page that includes the user's Active Directory Object ID as a query string parameter so the password reset page knows which user's password is being reset?
At the moment, it seems like it would be easier to create a completely custom ASP.NET MVC app to handle the requirements than it would be to use Azure B2C custom policies, but that isn't really a path I want to go down.
Is it possible to create custom pages in the password reset flow?
Yes you can create your own custom password reset user flow using azure active
directory B2C
In your case if you want to figure out your custom page you could
refer here
Is there built-in functionality to look-up a user's email address and
Active Directory Object ID based on their user name or would I have
to call out to a custom Azure Function and use the Graph API to do
this?
Using Microsoft Graph REST API you could fetch your user
information.
In your case you could use
List users
Get a user
To access user information you could also refer here in a great
details
Is it possible to create and send a custom email that includes a
hyperlink to the password reset page that includes the user's Active
Directory Object ID as a query string parameter so the password reset
page knows which user's password is being reset?
You can use the company branding feature to customize the
content of verification emails for resetting password.
Note : For better clarity you could check the Azure AD B2C: Frequently asked
questions (FAQ) before final work around Which definitely guide you to
define ultimate go ahead.
Update
As per Microsoft document right now you cannot create according to your sample exactly. See the screen shot there is and important remarks.
Thank you.
This GitHub project covers the case you describe. Still needs a lot of understanding about custom flows to get it working.
https://github.com/yoelhor/aadb2c-verification-link