We are using Azure AD B2C with Custom Policies. We noticed that Email-verification on Signup is pretty hard to do for the majority of users from a usability perspective. Hence, we would like to implement the following flow:
Step 1: Provide user data (Email, First Name, Last Name, Paswword + Confirm Password) and user can click next
Step 2: User sees a text that an email was send to him with a verification code. User should have the capability:
to enter the code and continue or
resend the code
On clicking continue, the user is redirected to the target app if code is correct.
Is this flow possible? If yes, can someone give a concrete example on how it needs to be setup as custom policy?
Thanks a lot in advance for your help!
There is a sample here that demonstrates the concepts you are looking for
https://github.com/azure-ad-b2c/samples/tree/master/policies/split-email-verification-and-signup
Related
I am newbie in azure ad b2c custom policies. Currently I am trying to understand is it possible to redefine LocalAccount PasswordReset custom policy from starterpack in the way as on the picture:Desired journey
Requirements are
1st screen: exclude separate SendCode button making Continue button responsible for both: sending code and moving to the next screen if the code was sent;
2nd screen: lock email, provide VerifyCode field, Continue button responsible for both: verifying the code and moving to the next screen if the code was verified;
3rd screen: standard screen with newPassword, reenterPassword and Continue button as in the starterpack
I really hope you can help
• Yes, you can surely create the password reset setup as you desire in the diagram attached in your post. For this purpose, you will have to edit the ‘Trustframeworkextensions.xml’ file with that given in the link as below: -
https://github.com/azure-ad-b2c/samples/commit/7669af06637550739e845b7ad42211a3a412658d
In the link above, the ‘SplitEmailVerificationAndSignup_TrustFrameworkExtensions.xml’ file must be uploaded and used in the Azure AD B2C Identity Experience Framework custom policies list. In this file, you will have to edit the ‘Technical Profile’ section with ID ‘LocalAccountSignUpWithReadOnlyEmail’. In that, you will have to remove the ‘OutputClaim’ for ‘objectId’, ‘displayName’, ‘givenName’, ‘surName’, ‘newUser’ and ‘authenticationSource’ from the said ‘TechnicalProfile’. Else, let all other details be the same and then upload the policy and try testing the user flow. It will give you the same result screen as expected by you.
Also, ensure that the ‘SplitEmailVerificationandSignup.xml’ file is also uploaded such that the references for other policy files are found correctly.
I've followed one of the provided samples to add TOTP multi factor authentication supported by a phone app:
https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-mfa-totp
I'm therefore able to offer users the ability to enter a TOTP code:
One of the things I'm considering is ensuring users still have access to their accounts if something goes wrong during the TOTP MFA process which we're using by default. I'd therefore like to be able to add an extra link to this page to send users through an alternative MFA route without successfully completing this one in case they encounter issues: "send a code via email instead".
As far as I can tell, the B2C screens expect users to only go forward through clicking continue. The best alternative instead of a link I can think of is a checkbox which sets a boolean claim to enable an email MFA OrchestrationStep. I find this a little less user-friendly than a simple link though as it adds an unnecessary extra click.
Ideal user flow:
Login --> Display TOTP MFA screen --> Enter MFA code OR click link to go to email MFA screen
Any help's appreciated!
This sample demonstrates how to use a display control to provide multiple options (Email or MFA) for a user to continue:
https://github.com/azure-ad-b2c/samples/tree/master/policies/pwd-reset-via-email-or-phone
You could use the same idea here, except instead of invoking the MFA technical profiles as part of the samples display control, you can invoke the call to the REST API technical profile to verify the code.
You will need to use some CSS/JS to make the page look nice so users can toggle what option they want to use.
I maintain an app where we use Azure AD B2C to authenticate.
The flow is this:
Users are invited by email
They click a link to sign up using a B2C signin/signup flow
They fill in their info, including email address
They are redirected to our app
Now, what bothers me is that the users have to enter in their email address, even though we already know it. We just invited them using their email address.
It has been suggested that we could send people to a password reset page instead. But that doesn't seem ideal either, since they then have to verify their email address, even though we just verified it. After all, they started the flow by getting an email.
In many cases the users mis-type their email address when they are asked for it. That creates a lot of new issues, because we now have two different email addresses for the same users.
Similar question already answered # How to pass email suggestion to Azure AD B2C SignUp page. Answer https://stackoverflow.com/a/56503578/341185 describes how to send invitations.
Alternate approach using Javascript in custom policies
You can use custom policies along with Javascript to show email of the user in email address text box.
Approach:
While sending invitation link, send an extra query parameter like &email_hint=azureb2ccustomer#b2clogin.com and follow below steps to show this email_hint value in email address text box
Steps:
Enabling Javascript in custom policies https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-samples
Change page contract to allow custom policies to run javascript https://learn.microsoft.com/en-us/azure/active-directory-b2c/page-contract
Update SignupOrSignin user journey to directly take to SignUp page https://stackoverflow.com/a/56503494/341185
Update your blob HTML page to read query parameters and put the value inside email textbox
var urlParams = new URLSearchParams(window.location.search);
document.getElementById("email").value = urlParams.get('email_hint');
Click here for example request
Add your comments if you still require any other kind of approach than described above to fit into your business model.
If you want to use custom policies, you can use the flow for password reset that has:
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=JWT
This puts the email address in a JWT so the user does not have to enter it.
I setup a password reset flow using Azure B2C and local Azure accounts that uses the user's email address and verification code. However, my client would like to have a password reset email sent to the user based on the user name, not email address. The user email would be looked-up behind the scenes and an email sent that would include a link to the password reset page as shown in the flow below.
After reading a gazillion articles on custom Azure B2C policies, I'm struggling to convince myself if it is possible to do what the client is asking for using Azure B2C.
In the sample password reset flow shown below, some of the areas I'm struggling with include:
Is it possible to create custom pages in the password reset flow such as the page in Step 4 that displays the user's masked email address, or the information page in Step 7?
Is there built-in functionality to look-up a user's email address and Active Directory Object ID based on their user name or would I have to call out to a custom Azure Function and use the Graph API to do this?
Is it possible to create and send a custom email that includes a hyperlink to the password reset page that includes the user's Active Directory Object ID as a query string parameter so the password reset page knows which user's password is being reset?
At the moment, it seems like it would be easier to create a completely custom ASP.NET MVC app to handle the requirements than it would be to use Azure B2C custom policies, but that isn't really a path I want to go down.
Is it possible to create custom pages in the password reset flow?
Yes you can create your own custom password reset user flow using azure active
directory B2C
In your case if you want to figure out your custom page you could
refer here
Is there built-in functionality to look-up a user's email address and
Active Directory Object ID based on their user name or would I have
to call out to a custom Azure Function and use the Graph API to do
this?
Using Microsoft Graph REST API you could fetch your user
information.
In your case you could use
List users
Get a user
To access user information you could also refer here in a great
details
Is it possible to create and send a custom email that includes a
hyperlink to the password reset page that includes the user's Active
Directory Object ID as a query string parameter so the password reset
page knows which user's password is being reset?
You can use the company branding feature to customize the
content of verification emails for resetting password.
Note : For better clarity you could check the Azure AD B2C: Frequently asked
questions (FAQ) before final work around Which definitely guide you to
define ultimate go ahead.
Update
As per Microsoft document right now you cannot create according to your sample exactly. See the screen shot there is and important remarks.
Thank you.
This GitHub project covers the case you describe. Still needs a lot of understanding about custom flows to get it working.
https://github.com/yoelhor/aadb2c-verification-link
I need some help with this sample:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom
I need to do the same but with signin policy, i need to validate the email with sql database and change a status column in database, and/or block access if the email is doesn't exist.
do you have some example for that?
Thanks
P.D: Excuse my english
The example you are pointing to is more useful for just retrieving additional claims for a user but not for validating the input. Since you are validating the email address, this example is more relevant:
Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as validation on user input
This is what I would suggest:
Host your database behind a Rest API so it can be called to validate the email address
Create a technical profile using Web.TPEngine.Providers.RestfulProvider that calls into your Rest API (see the example I linked above)
Add a ValidationTechnicalProfile to the SelfAssertedAttributeProvider technical profile that collects the email so it will validate it and show an error if validation fails
By adding validation such as this, the user will be blocked with an error message and will have the opportunity to fix the input (e.g. typos) and try again. You can also get additional claims about that email address from the Rest API by adding them in the OutputClaims of both the technical profiles.
You will need to determine whether this is the right place to change the flag in the DB or if that ought to be a separate operation. The reason is that if the user goes to the next step in the user journey and then abandons it and comes back later, what would their experience be.
If you want it as a separate step later in the user journey, then you would create it using the example you provided (i.e. as a separate step after all the required steps have executed in the user journey).
The steps will be very similar except you will need to modify a different UserJourney and RelyingParty.
Update <UserJourney Id="SignUpOrSignIn"> as described in step 4.
Update SignUpOrSignin.xml as described in step 5.