I am using migration to create users in azure b2c from the legacy database. I have some users with nordic characters å, ø, and æ in their username. I was able to create the users in azure b2c and when I search for users with graph API I see the username has those characters in it.
I have created a custom policy for logging in. It works for all the users with regular English alphabet uesrname. But, when trying to log the user with nordic characters in, it says account not detected. Somehow the username with nordic characters didn't match with the input provided.
For example, if the username is pål in azure b2c, correct input of username pål and password won't work but username pal would work.
How can I allow nordic username input to log in with custom policy?
Did you try using the latest version of the HTML Page Layout? As mentioned here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/page-layout#self-asserted-page-selfasserted version 2.1.2 fixed the localization encoding issue for languages.
Always use latest layout version in your policies.
Related
Hoping someone can shed some light on the following matter;
I got an Angular & .Net core Web API application that uses Azure B2C to authenticate users.
User accounts are created by the users themselves via the signin/signup custom policy or administrator can create accounts via the app using the Graph API.
Due to the requirements, the app uses usernames (as opposed to email addresses) to log into the application. So far I've managed to get everything working except for the following scenario:
When an account is created via the Graph API, the owner of that account cannot reset the account's password. The error is "An account could not be found for the provided user ID".
This isn't the case for accounts that get created via the custom signup policy so I did some comparison and found that for those account that get created via the Graph API, the Email is missing (which can be found under User -> Authentication Methods). I looked at populating that field, but it appears the "Mail" attribute is 'read only' (not sure if that's the right attribute anyway).
At the moment I'm having to manually set the email via Azure so those account's passwords can be reset by their owner if necessary. This is obviously not ideal and wanted to see if there is anyone that might have gotten around this issue, or a least get confirmation that this is indeed a limitation of the Graph API.
Thanks in advance for your help
So I managed to get this working using the approach outlined by Jas Suri. These are the steps that I went through
Created a custom attribute in my B2C tenant to hold the account email address
Included the custom attribute claim type (extension_emailAddress) as well as the strongAuthenticationEmailAddress in the TrustFrameworkBase.xml
Updated my apps's custom policies to include the technical profile for local account discovery. I basically just copied the necessary bits and pieces from here
Updated the local account discovery to perform the comparison against the extenstion_emailAddres instead of strongAuthenticationEmailAddress.
Added an extra step to the Sign up user journey so that the value in strongAuthenticationEmailAddress is copied to extension_emailAddress
Updated my Web API / Graph API "create user" function so that it sets the extension_appidguid_emailAddress
That's it. Now it doesn't matter how the account gets created, the email address will be stored in the extension attribute and the password reset will be able to find the account using that attribute.
happy to provide more details if anyone comes across this.
The problem is as you’ve identified, the Sign Up policy uses the strongAuthEmail attribute to store the verified email for a username based account. The Password reset policy will use this to verify the user owns the username. When creating the user with graph api, you can’t populate this field, it’s not exposed. The only option is to use a custom policy which stores this secure email in an extension attribute, and your graph api created users can then also target the same attribute to allow the stars to align.
Mail attribute is not the same as the Email under Authentication Methods, and currently there is no such graph api to set the Email value under Authentication Methods.
By the way, there is no need to create Azure AD B2C user for a user as users can sign up themselves.
I am using custom policies to enable mobile number authentication in my mobile app.
I have used custom UI files to manage the UI of the policies using blob storage as given in the following link:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-ui-customization-custom
Now i want to give support to Chinese language for sign in, sign up and password reset policy. for that i am following Microsoft document :
https://learn.microsoft.com/bs-latn-ba/azure/active-directory-b2c/localization#set-up-localization
along with some reference document i found on git:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Migration-JIT-sample/B2C_1A_Demo_Base.xml
FYI,
I have used this MS link to get started with custom policies:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
but i wanted mobile authentication instead of email so i made changes as given in this stackoverflow link:
Can Azure-AD B2C use a mobile telephone number as a username?
i am following the exact steps given in the document but when i run the policy it gives me the error as :
One of the request inputs is out of range.
after following the steps it generates url like this:
https://smarthomestgdev.blob.core.windows.net/en/b2cpagelayout/signup.html
the url is correct but it does not render any sign up page and gives blank page.
Can anyone help me solving the issue?
I setup a password reset flow using Azure B2C and local Azure accounts that uses the user's email address and verification code. However, my client would like to have a password reset email sent to the user based on the user name, not email address. The user email would be looked-up behind the scenes and an email sent that would include a link to the password reset page as shown in the flow below.
After reading a gazillion articles on custom Azure B2C policies, I'm struggling to convince myself if it is possible to do what the client is asking for using Azure B2C.
In the sample password reset flow shown below, some of the areas I'm struggling with include:
Is it possible to create custom pages in the password reset flow such as the page in Step 4 that displays the user's masked email address, or the information page in Step 7?
Is there built-in functionality to look-up a user's email address and Active Directory Object ID based on their user name or would I have to call out to a custom Azure Function and use the Graph API to do this?
Is it possible to create and send a custom email that includes a hyperlink to the password reset page that includes the user's Active Directory Object ID as a query string parameter so the password reset page knows which user's password is being reset?
At the moment, it seems like it would be easier to create a completely custom ASP.NET MVC app to handle the requirements than it would be to use Azure B2C custom policies, but that isn't really a path I want to go down.
Is it possible to create custom pages in the password reset flow?
Yes you can create your own custom password reset user flow using azure active
directory B2C
In your case if you want to figure out your custom page you could
refer here
Is there built-in functionality to look-up a user's email address and
Active Directory Object ID based on their user name or would I have
to call out to a custom Azure Function and use the Graph API to do
this?
Using Microsoft Graph REST API you could fetch your user
information.
In your case you could use
List users
Get a user
To access user information you could also refer here in a great
details
Is it possible to create and send a custom email that includes a
hyperlink to the password reset page that includes the user's Active
Directory Object ID as a query string parameter so the password reset
page knows which user's password is being reset?
You can use the company branding feature to customize the
content of verification emails for resetting password.
Note : For better clarity you could check the Azure AD B2C: Frequently asked
questions (FAQ) before final work around Which definitely guide you to
define ultimate go ahead.
Update
As per Microsoft document right now you cannot create according to your sample exactly. See the screen shot there is and important remarks.
Thank you.
This GitHub project covers the case you describe. Still needs a lot of understanding about custom flows to get it working.
https://github.com/yoelhor/aadb2c-verification-link
I am currently using Phone Based MFA with Custom Flows created using Identity Framework Experience. How would I extend this to use Hardware Tokens, or App based authenticators like Google or Microsoft Authenticator.
You could extend your MFA using Hardware OATH tokens in Azure MFA
As Microsoft Previews Hardware OATH Tokens with Azure Multi factor Authentication.
Requirements:
The following are the pre-requirements to complete this configuration:
Azure AD Premium P1 or P2 license
Token2 hardware token(s)
A CSV file for your token device(s). You will receive an email with the CSV you confirm the delivery*
Devices For CSV
As I don't have device right now that's why I am using virtual device emulator refer here
You have to create a secret with this device. The secret is required for upload to Azure AD and is required in the form of a CSV file with six columns:
Secret would be look like this below:
This CSV file must contain following information:
upn,serial number,secret key,timeinterval,manufacturer,model
Which should match with azure portal like below information:
Ensure each UPN in the first column matches the device you are issuing
to the user and upload the CSV file to Azure AD.
This is done from Azure Portal > Azure Active Directory left menu >
MFA (in Security area) > OAUTH tokens (in settings area)
Upload CSV
Once you have created your csv file from the given emulator which has given above
You have to upload your file on azure portal.
CSV format
upn,serial number,secret key,timeinterval,manufacturer,model
gulnara#token2.onmicrosoft.com,60234567,1234567890abcdef1234567890abcdef,30,Token2,c101
Note: Make sure you include the header row in your CSV file as shown above. Also, please do not edit the CSV file in Excel use a
text editor (Notepad) instead
Click Upload and browse for your CSV file. As long as there are no errors it will upload fine. Errors are displayed in the notifications area. Once the upload is complete click Refresh to see the imported hardware tokens. Tokens assigned to users that do not exist will appear after the user is created, if the user is created within 30 days
Then you just need to activate the hardware token by clicking Activate
See the screen shot below
Once you have activated soon the verification code prompted like below:
Once OATH token is activated and set as the default MFA method, users can use it to log in. Like below
Please note that the login page will still ask for "authenticator app"
code on the login page, but the OTP generated by the hardware token
will for sure be accepted without any issues.
Now Enter the code from the hardware or your emulator. The token changes every 30 seconds and is valid for a short while either side of the time it is displayed for on the device.
See the screen shot:
For large organization they can also set up additional MFA methods in
addition to the hardware tokens. This will ensure users can still log
in in case the hardware token is lost or damaged. Additional MFA
factors, such as SMS or mobile app can be configured by users
themselves on this page.
Like below:
If you need more information you could refer here
Microsoft reference check here
Hardware token device information refer here
I would like to disable or modify the regex check for the username in the custom "forgot your password" page in B2C. I am using the standard template resetpassword.html ... I have usernames that begins with an underscore in my web application
I am getting the following validation message when trying to change the password for users with usernames beginning with an underscore
"The username you provided is not valid. It must begin with an alphabet or number and can contain alphabets, numbers and the following symbols: _ -"
For all other usernames that does not begin with an underscore, I have no issues resetting the password via the custom resetpassword.html page.
BTW my password reset policy's custom UI for forgot password points to this resetpassword.html
Any help would be appreciated
You can change the default behavior with custom policies. Please check the azure documentation here