I have added the magic link feature in my signin signup flow. I have changed the Restful provider to send email from custom email provider. How do I generate the magic link for Confirm Account to be passed in the template?
What do you mean by template?
Are you using custom policies?
If, so refer this.
You have a choice of symmetric (secret key) or asymmetric (certificate).
There are two "magic link" samples plus a sign-in one.
Related
Are in B2C Custom Policies a way to validate claims comparing them?
Lets say we need to validate the user postal code to reset a password, can we do:
insertedPostalCode == actualPostalCode ( compare two claims ).
Of course, this is after reading the user from B2C using a email, or some other signin name.
You can absolutely do this.
I'm going to assume you're using B2C custom policies.
Use a claims transformation, either the AssertStringClaimsAreEqual, or the CompareClaims, in a technical profile that can be added as a validation step in the self asserted page you are using to collect this postal code from the user.
Here are the Microsoft docs that should point you in the right direction.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#assertstringclaimsareequal
https://learn.microsoft.com/en-us/azure/active-directory-b2c/string-transformations#compareclaims
I have a project, implemented using react js and Azure B2C. For sign-in and password reset, I used azure built-in user policies. What I want is when I add a user with the 'create Zure Ad B2C user' option, I want the user to get an email (An invite). As I know B2C doesn't have this function yet. I found out that this might be solved by a custom policy. But I don't know how. Can anyone help me with this? Thanks in advance.
This type of process would not be handled by the B2C flows. A user creation task cannot be tied to an email being sent out from our service. You would rather follow something like this:
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
You would create the user via portal or Graph API. Then generate a link and send it via a mail provider to the users email containing the link to compete the registration, eg providing their password.
Agree with #Jas.
Have a look here to see something similar for the invite flow.
Note that you should use "id_token_hint" rather than the older "client_assertion".
Would like users to sign-up without email verification(There is an option to disable this in B2C GUI) and an email should be sent with a link that users can click to activate the account. Doesn't look to be possible out of the box. Is there a way to accomplish this while also making sure that the email activation is secure and not prone to brute force attack?
These some example code here.
The repository also contains a good write-up "Implementing an invitation flow" which will help.
The security requirement is achieved by using a signed JWT to transfer the claims.
I have a B2C directory and I have setup the branding for this directory. Apart from this, I have also added a sign in, sign up and a reset policy with custom templates. So far no issues. When I issue a challenge for the sign in policy the page is rendered based on the branding configuration. When I attempt to enter an invalid password, the error template is used.
Now, if the email address is known previously for the current user, I add a login_hint to the authentication properties, so that the user need not enter it in again. The email address gets populated in the email text box as expected, but the branding configuration is not used anymore!
Is this a bug?
PS: I added a sign up or sign in policy and I am currently using this policy to work around this, but would be good to know why this is not working (i.e. the sign in policy)!
Is this a bug?
Sounds like it but only the B2C product team could confirm this.
I added a sign up or sign in policy and I am currently using this policy to work around this, but would be good to know why this is not working (i.e. the sign in policy)!
The B2C is in the process of deploying version 2s of their policies. Can you try the Sign-in v2 Policy?
I have a system where users are created in backoffice by admins(user with special role). Password reseting for users is also Admin's responsibility. This functionality is implemented using Graph API.
Users log in to their accounts using usernames(local account Id).
For this purposes I use B2C tenant with "sign-in" policy . The problem is that there is a password reset link => "Can’t access your account". By clicking on this link, users get Microsoft's out-of-the-box password reset process. I would like to delete this link to disable some extra actions, but I found no way for this.
1. Is it possible to delete "Can’t access your account" link in B2C sign-in policy?
B2C sign-in policy is not fully customizable. Microsoft site says that for the purposes of fully customize I need to use "sign-up or sign-in policy". But looks like I can not use local account id in "sign-up or sign-in policy".
2. Is it possible to use fully customizable UI without providing sign-up functionality to users? I mean is it possible to use sign-up or sign-in policy as a sign-in policy only with usernames(not emails)?
You can use a local account in sign-in-or-sign-up policy.
The fully customizable experience is within the sign-in or sign-up policy.
Everything is thoroughly described in the docu here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
There is even an excellent example here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization-helper-tool
using the sign-in or sign-up policy you can not only remove the password reset link. But can also disable password reset from the policy itself.
With the basic Azure B2C I dont think you can control this, Azure B2C are just rolling out the ability to create custom sign in journeys which will allow you to change everything, call extra rest APIs , implement alternative IDP's
In the last few days my UI has changed and they have just released documentation on custom journeys so that is a good place to start
As an alternative and i dont know its possible you could try using a custom UI theme on the Signin policy and then use javascript to hide the link