I have a situation where the verification emails sent from a B2C tenant at sign-up do not deliver to users with email addresses for certain domains like free.fr, neuf.fr, laposte.net, club-internet.fr, etc.
Could the use of a third-party email provider address this issue?
Related
I wan to send customized email for SSO via AD B2C. I see that the documentation covers sending custom email via third party providers or via SSPR Technical profile. I'm trying to use the SSPR technical profile.
However, there is no reference as to how the email is sent to the customer. It doesn't explain how the SMTP is configured for AD B2C to be able to send an email from our customized email address. Can someone point of how SMTP is configured for Azure AD B2C.
The documentation for third party emails also don't cover how do we set SMTP configuration.
There is no SMTP.
The SSPR Technical profile uses Azure to send emails. It's all done in the back end.
Similarly, for third parties.
I have a web site, that is using AAB B2C username/password authentication and stores customer profile in a proprietary database.
We want to add additional identity providers to allow social sign-in as described in
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-identity-provider.
We are not sure, can we trust the provider that logged-in user owns the email address, returned by provider.
For example, assume that we have in our database ValidCustomer#gmail.com account.
A hacker knows the email address and creates a new account ValidCustomer#gmail.com in Facebook. The account will exist in Facebook, but will not be verified, because the hacker doesn’t have access to Gmail account.
Then the hacker will try to login to our site via Facebook.
Will Facebook (or other identity provider) return back unverified email address as claim for authenticated user?
If yes, can we use any claim returned by identity provider to understand is email address verified or not?
Is any general claim/rule in B2C AAD protocol to check is email address verified or we have to review each provider policy individually?
Is it possible that today the provider guarantees verified email address , but tomorrow will change their policy and will not verify the email address?
By default B2C will trust the claims sent by the identity provider. You would need custom policies to add a verification step for the email address. Sadly each provider is unique in these things. There is no standard claim for "email is verified".
But why is this important for you?
As long as you identify the user in your application by their object ID (and not the email), they will be separate users.
Even if the attacker manages to sign up through a social identity provider with the same email address, a new user entity is created in B2C, and will have a different object ID, thus not matching a user on your app side.
Using Azure AD B2C with 'Email' specified for the user id.
I've tested the 'Sign up' and 'Sign up v2' user flows in Azure AD B2C. Both of these require the user to verify their email address by sending/entering a verification code. I've enabled MFA for both of these flows, so the mobile number needs to get verified as well.
The product guys have asked if its possible for email verification to be done asynchronously e.g. an email getting sent to the user, but they can verify this (e.g. via a hyperlink in the email) in their own time without having to enter a verification code during the registration process. Is this possible?
FYI. I think the reasoning from the product guys is that MFA via SMS to their mobile is enough. Multiple verifications (i.e. for email AND mobile) is a bit too much in terms of the UX...
One potential solution.
It's possible to disable email verification:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-disable-ev
Can then do and then do external orchestration to send async email. When they click on the link, we can update the verification status via MS Graph API. Don't love this solution, but it's an option...
I'm using an Azure AD B2C policy where I'm requiring users to verify their email addresses with a verification code.
Is there a way to check the activity on whether or not this verification code email was sent to the user that is signing up?
There are no diagnostics around the verification code email. The verification code email should be sent every time as per your policy. You can request a feature for diagnostics or something like that in the Azure AD B2C feedback forum
In some cases, emails will get routed to the user's spam mail or the company might be filtering out the emails completely. If you're seeing users from a given company consistently not receive the email, you should get some confirmation from Microsoft that the email was sent by opening a support ticket.
I created a password reset policy and I am using username for the identity provider for local account.
The password reset screen asking for username and email address.
What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.
I saw it used to have a check box for password reset to use "Alternate Email Address" which is much secure to allow the user input a one. But I can't find to use "Alternate Email address" in password reset policy.
Does anyone know where to set it?
What if I know someone's username but to use a different email to
receive the verification code then I will be able to access someone
else's account.
Both the username and the email address must match the entries on the account. If a user uses a different email address, they will be shown an error message indicating that the account could not be found. Email verification is done before the account is looked up to minimize the chance of a malicious user trying out different email addresses for an account.
Alternate email address is not supported in Azure AD B2C because an alternate email address is not collected when the user signs up.
The admin UI that you have pasted in your question is for the enterprise directory and does not apply to Azure AD B2C. Azure AD B2C policies can only be configured using the Azure AD B2C settings blades in the Azure Portal.