I am in the process of setting up Azure AD B2C and including an API connector in the profile creation. I use the policy Sign up and sign in from the user flows. Now I want to add a user attribute I created myself. This should not be visible under User attributes (the user should not fill this field himself) but should be filled by the API and returned under Application Claims and in the token. Is this possible with the user flows? Or is this currently only possible with the Custom policies under Identity Experience Framework?
Thanks for your answers
The way to do this with Azure AD B2C user flows would be to use JavaScript to hide the field so that is not visible to the user even though it is selected as an attribute in the user flow.
A similar approach is user to enable captcha while signing up as well in this sample - https://github.com/Azure-Samples/active-directory-b2c-dotnet-sign-up-user-flow-captcha.
Here is the official documentation for using JavaScript in user flows - https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout.
Related
Does anybody know if and how can I use two (or more) user flows for user Sign Up from the same client application in Azure AD B2C? I want to be able to delegate to different signup flow based on the type of user that selected via the web application. One button "User Sign Up" and one button "Company Sign Up". How can I achieve the above functionality?
To support more than 1 Azure AD B2C user flow in a web app is pretty common. Keep in mind sign-in, sign-up, profile edit and more are all different user flows and are usually present in the same web app. In the same vein you can add any other flows that you want.
For implementation samples take a look to Azure Active Directory B2C code samples.
I have integrated API connector on an Azure B2C Sign Up User Flow to enrich token with a custom attribute from a REST API call. Works great! When user log in, custom attribute is correctly present in token.
Then, I have enabled Self-service password reset, following documentation. And now, if during Sign Up journey user clicks on "Forgot your password?" link and changes his password, at the end he get signed up (and password has been changed) but API connector has not been called and custom attribute is not present in token.
Did I miss something or is this scenario not supported by User flows?
Thanks for your help
As per docs:
There are three places in a user flow where you can enable an API connector:
After federating with an identity provider during sign-up - applies to sign-ups experiences only
Before creating the user - applies to sign-ups experiences only
Before sending the token (preview) - applies to sign-ups and sign-ins
When you click on "Forgot your password?", this takes you on a different flow.
Not sign-up or sign-in.
My application uses Azure B2C and signin flows to login. I was able to add a couple of custom user attributes and embed them in the token.
Now I want to implement UI permissions on the app. (say I want to give read permissions to a view but hide edit/delete buttons on that view based on permissions).
Is this possible to implement such claims (e.g. my_view_read: boolean, my_view_write: boolean) on B2C? Do I have to embed them as user attributes to include in the token?
Yes, you can definitely do this is B2C by using Custom Claims. You can refer to this detailed article by Daniel: https://daniel-krzyczkowski.github.io/Azure-AD-B2C-Series-Custom-Policies-With-Custom-Claims/ on how to create such claims in custom policies.
Once you add these claims in your token, you can read it in your client application and set the views in it based on the permissions set for the user through these claims.
Pls note that you will also have to set the values of these custom attributes using Graph API/ SISU page.
We created an application in Azure B2C to use the OIDC implicit Grant flow. We have configured the Userflow policy(SignIn and SignUp) to customize the homepage layout and to get the custom claims in response. We are using Azure B2C as External Identity Provider (IdP) in our application. When user clicks the Login Button in our application we are redirecting the user the Azure B2C for Authentication and we are able to get the Access Token in response. But we are facing constrain in Getting the User Profile through the UserInfo enpoint. We have tried out both the Graph API endpoint and Azure B2C OIDC userinfo enpoint but neither of them are compatible with the Userflow policy.
I believe the workaround suggested is applicable only if we need to grab some extra input from user (during sign-up) or input validation and then pass that claim to application. It will unnecessary require using "Identity Experience Framework" feature which is ideally required for custom login/signup journey and is not available under free license.
What I understand from you requirement is you need to pass built-in Azure AD attributes to application and which shall be doable by selecting extra claims from "User Flow" signup-SignIn policy. Is not there any alternative to make call to "userinfo" endpoint out of box ?? Any Microsoft expert here, please clarify.
As of now, Azure AD B2C does not support the UserInfo endpoint through User-flow policy.
Right now, it is being supported only through Custom Policies.
You can vote for this feature on Azure AD User Voice.
A workaround is that you could integrate a Rest API to retrieve the extra claims.
See reference here.
I'm using Azure AD B2C for my ASP.NET project. I want to use Multi-Factor authentication. Normally, after the sign-up, the user is redirected to the page to verify his phone number. I want to change this flow, I want to enable multi-factor if the user choose in a custom dropdown attribute 'Notifications' SMS, the other options are Email/No.
How can I redirect to this Multi-Factor page/Enable Multi-Factor depending on a value of a custom attribute.
Well, fortunately, the Azure B2C is quite a flexible tool and does exactly what you're asking for. You're free to define custom policies, attributes and user flows (this one is in preview state though). For your case, if you're the one who manages the tenant, go to B2C instance and select 'User flows (preview)' blade. Create a User attribute beforehand. Configure the flow as necessary. Complete configuration by running the user flow. More on the issue can be found in quite exhausting MS article here.