We have a requirement wherein we need to send SMS using AAD B2C. We are not using AAD B2C pages. We understand that by using custom policies we can use the SMS feature but how to return the control to the application after SMS generation and validation is done by AAD B2C. The UI is rendered by application.
Please help.
AAD B2C does not provide capabilities to use SMS via an API. You must use the AAD B2C pages to perform MFA or Email verification.
Related
How to login with MFA to a AZURE AD B2C App using the login url(URL given below) provided by microsoft?
Do we have any URL to validate users login with MFA Azure AD B2C?
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
That URL is only part of the flow.
The whole flow is here.
The easiest way to achieve this is to use one of the MSAL libraries.
MFA is not part of the OpenID Connect flow.
You have to add it.
In my project, this a fundamental part of project. Windows Hello for Bussiness and MS Authenticator is secure and easily to use, the goal here is enable this in Azure B2C SUSI to increment safety and provide a fast way to SignIn for user.
The point is, has a way to do that in B2C? Replace normal password to a paswordless way authentiation
There is a possibility to achieve Multi factor authentication using Authenticator app. It is documented and a sample is provider here: Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Below is the user auth flow using TOTP:
At this time, MS does not support primary Auth using Authenticator for B2C. You can request this via the Azure AD B2C forum in feedback.azure.com
SMS and Phone verification are the options available as of now.
We created an application in Azure B2C to use the OIDC implicit Grant flow. We have configured the Userflow policy(SignIn and SignUp) to customize the homepage layout and to get the custom claims in response. We are using Azure B2C as External Identity Provider (IdP) in our application. When user clicks the Login Button in our application we are redirecting the user the Azure B2C for Authentication and we are able to get the Access Token in response. But we are facing constrain in Getting the User Profile through the UserInfo enpoint. We have tried out both the Graph API endpoint and Azure B2C OIDC userinfo enpoint but neither of them are compatible with the Userflow policy.
I believe the workaround suggested is applicable only if we need to grab some extra input from user (during sign-up) or input validation and then pass that claim to application. It will unnecessary require using "Identity Experience Framework" feature which is ideally required for custom login/signup journey and is not available under free license.
What I understand from you requirement is you need to pass built-in Azure AD attributes to application and which shall be doable by selecting extra claims from "User Flow" signup-SignIn policy. Is not there any alternative to make call to "userinfo" endpoint out of box ?? Any Microsoft expert here, please clarify.
As of now, Azure AD B2C does not support the UserInfo endpoint through User-flow policy.
Right now, it is being supported only through Custom Policies.
You can vote for this feature on Azure AD User Voice.
A workaround is that you could integrate a Rest API to retrieve the extra claims.
See reference here.
Is it possible to combine Azure ad b2c and Azure MFA so users can use push notifications and TOTP codes in the MS authenticator app? If so how?
Apart of enabling MFA that uses SMS and voice calls which is supported and doesn't require any additional development, you can integrate TOTP-based Multi-Factor Authentication with Azure AD B2C.
This involves an additional development:
Custom policy to support TOTP flow.
Simple web-client (for presenting a page with QR code and reading user's input).
Two custom REST API endpoints (for generating secret key, QR code and validating TOTP code).
Sign-in flow with TOTP MFA:
For more details, please refer to Microsoft Azure AD B2C: TOTP multi-factor authentication sample implementation Github project.
Azure AD B2C supports MFA out of the box using voice calls and SMS.
Authenticator or TOTP is not currently supported but in the backlog.
I did not try AD B2C, but technically it seems possible refer to the links.
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#microsoft-authenticator-app
If you properly setup Azure AD B2C, you can add new account in Microsoft Authenticator App > Add account > (your AD url and code).
I’ve used AD with MS Authenticator App in my company and it worked well. So, Azure AD B2C could provide it also.
I would like to have the administrator of my app create users in Azure AD B2C and then have Azure AD B2C send a passwordless link to the user via email or pass me the link so that I can send it via email. Is this possible via the existing service or API?
This article helps explain the concept using Auth0:
https://auth0.com/docs/connections/passwordless/regular-web-app-email-link
I asked Swaroop Krishnamurthy (#swaroop_kmurthy) this same question via Twitter and received this response from him on 9/8/2016, "#keithdholloway this is on our roadmap but a bit further out than the near term."
No.
There is no support for this, developer must use AD B2C Policy for Authentication, always via a WebView.
I went to a meetup yesterday about Azure AD B2C Custom Policies. I asked the speaker if he knew if they could handle passwordless login, like entering your email address on an MFD then getting a popup on your mobile app to approve/deny but he wasn't sure. Later on he sent me Azure Active Directory B2C: Custom CIAM User Journeys - Multi factor authentication enhancements. From this it looks like Azure AD B2C: TOTP multi-factor authentication may have some useful examples.