I need to create a custom policy to record the number of failed signin request for a user. After 5 failed signins in a row, the account needs to be disabled.
My approach was to use a B2C user attribute to record the number of signin failures, but I cannot find a way to increment the user attribute. How would I do this using custom policies?
What you want to achive is available out of box.
Please use https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management#manage-password-protection-settings to automatically lock account when wrong password is entered.
Related
I am using azure b2c for IAM, in that I am using build-in user flows for signup. I have few questions.
I want to gather users date of birth to understand the Legal Age Group Classification. User Attributes doesnt show the DOB in the list and if I will add it as custom attributes then it wont be validation unless I will use custom policies.
I want to gather the username from the user and want to make sure it is unique as well.
I tried to create custom attribute for DOB but it can`t be validated in build-in policy. I want resolve both the problems using build-in policy only, custom policy will be last thing I want to try.
I did refer to Microsoft docs but it was not useful.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-access#gather-date-of-birth-and-countryregion-data
I tried to reproduce the same issue in my environment and got the below results
I have the azure b2c for IAM in that I used the build-in user flow
I have added the DOB attributes in the user attributes as shown in below
Created the user flow for particular attribute
Make sure that we have to give the Return claim then only it will reflect
After running the user flow I am able to see the date of birth user
Note:
Make sure that we have to give the retain policy then only we can fetch the DOB details
Is it possible to direct a user to a user flow along with a value that we want to set on a custom attribute? We dont want the user to be able to edit this field, it is ok if they see it.
I would like to have a custom app where the user will fill out some info, the app will validate their info against an internal database and return a value we would like to store in a custom attribute (an internal username).
I would then like to send the user off to a sign up user flow where they can either create a local account or create an account with an external IDP and the custom attribute would be pre populated for them and not editable.
To pre-populate the claim, set it as an input field on the form.
To make it non-editable, copy it to a readonly claim and display the readonly claim as an output.
To pass the data, make the whole flow a sign-up flow.
You can call a REST API in the flow to validate the data. Store the return value in an extension attribute.
Then ask the user if they want to federate with an external IDP.
If so, do the federation and add the value to the social account.
If not, create a local account and add the value.
You would have to create an external account beforehand.
I figured out you can send back custom errors from a rest API. What I am ending up doing is gathering the data from the user, sending it to a custom API for validation, then if it validates properly, the API returns the custom attribute.
If the validation fails I can return errors to the B2C that will be shown on the sign up page.
I am implementing MFA custom policy with Email or Phone option. I want to restrict user to login if phone number is not registered. In my current implementation it is showing a screen to input new number if it is not registered yet , I wanted to restrict user from adding new mobile if not found.
I tried playing with orchestration steps but not able to find the correct output claim to check if user is already registered or not?
You can’t really check per se, AAD B2C has a built in uniqueness checker if you write to the identifier field - signInNames. You can store the phone number in signInNames.phoneNumber and then your uniqueness check is handled by the policy itself when you try to write the value. That prevents any user enrolling a phone number that already exists on another account.
After users has done the sign up I want to set some information and receive it in the token when they sign in.
In order to do that I am using custom attributes and setting the value using GraphAPI.
The way I add the custom attributes is as described here:
In your Azure AD B2C tenant, select User flows.
Select your policy (for example, "B2C_1_SignupSignin") to open it.
Select User attributes and then select the custom attribute (for example, "ShoeSize"). Click Save.
Select Application claims and then select the custom attribute.
Click Save.
Those attributes should not be a concern of the user so I am not doing the step number 3 and here is where the problem comes.
I am able to set/get the value of the custom attribute using Graph API but the attribute is not present in the token. If I do the step number 3 then the custom attribute appears in the token.
Is there any workaround to achieve having the custom attributes in the token without having them in the sign up screen?
The link above also says:
The custom attribute is now available in the list of User attributes
and for use in your user flows. A custom attribute is only created the
first time it is used in any user flow, and not when you add it to the
list of User attributes.
Which I believe is the reason why I can't see the attribute in the token, but I though that after setting it with GraphAPI and being able to read it, it would be in the token.
It's not true.
Based on my test, if we don't do the step number 3 but do the step number 4, the custom attribute won't appear in sign up page but still can be included in the token.
Please make sure that you have updated the custom attribute for the signed-in user and use the same user to sign in with that user flow where you didn't do the step number 3 but did the step number 4.
Kindly check it.
I have an azure ADB2C tenant where I'm using built-in, sign-in sign-up policies.
I want to be able to provide users with a custom unique field while sign up.
I am able to add a custom attribute. Is there a way I can add a unique constraint on it such that every user has a unique value for this field while they sign up or are prompted to reenter the value.
Any help will be appreciated. Thank you
You could create a custom attribute by using built-in for the sign-up policy, the B2C custom attribute only supports three data types: string, boolean(true or false), and int.
And as I know, the three data types cannot make sure the value to be unique for each user. For the details, please read here.