We use ADB2C custom policies with MFA enabled. Currently our password reset is failing. When a user tries to reset password we get the "Account could not be found for the Provided UserID" error
If I manually copy the Alternate email field to the Email field on the portal and try to reset my password it works. My hypothesis is that something in the custom policy chain is causing the email claim to not persist correctly on sign up? (Alternate email seems to persist fine)
In our custom policy I do see the following in the extensions policy:
<PersistedClaimClaimTypeReferenceId="email"PartnerClaimType="strongAuthenticationEmailAddress"/>
in the UserWriteUsingLogonName technical profile, which is what's invoked by the Self Asserted 'LocalAccountSignUpWithLogonName' technical profile (corresponds to a user signing up).
This is a snippet of the TrustFrameWorkExtensions File
Here are snippets from the TrustFrameworkBase file.
Here is the self-asserted technical profile for Sign In and Sign Up
We use the default password reset B2C_1_PasswordReset
Related
I am configuring an Azure B2C instance and created a signupsignin userflow. Selecting "Display Name" and "Email Address" as User attributes I expected that it was possible to add those two attributes also as Application claims but "Email Address" is not a default option, only "Email Addresses". Even with that option on, when testing the userflow I can't see the "Email address" included as a claim. How do I have to configure Azure B2C using userflow (not custom policy) and getting the email address back?
I tried to reproduce the same in my environment and got the below results:
In my B2C tenant, I created one Sign up and sign in user flow by enabling emails in return claim as below:
I created one B2C application and selected it while running user flow like below:
When I ran the user flow, it displayed sign in screen with email address as below:
If the user signs in successfully, they will get code in their address bar along with redirect Uri like this:
I used the above code to generate token via Postman like below:
POST https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1_SignUpSignIn/oauth2/v2.0/token
client_id: AppID
grant_type:authorization_code
scope:openid
client_secret: client_secret
code: //copy the code you got above
redirect_uri:https://jwt.ms
Response:
When I decoded this token, I got emails claim successfully like below:
If you are not using Email sign-up method, make sure to update user's profile by adding email before running user flow like below:
We are using custom policies with ADB2C and are passing ui_locales in the signup_signin url for the localization. However, B2C doesn't propagate this to the Self Service Password Reset flow. We set it up following the instructions here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#self-service-password-reset-recommended
Is there a way to propagate ui_locales to Password Reset form in Custom Policies? The url for Password Reset is out of our control and is constructed by B2C itself.
• Yes, you can surely configure the page localization option for the ‘Password Reset’ policy page by configuring the ‘Azure AD B2C Embedded Password Reset’ flow wherein the default ‘Password Reset’ flow policy gives out the error code ‘AADB2C90118’ when a specific password reset policy is not invoked through the custom policy.
• Thus, to use the ‘Azure AD B2C Embedded Password Reset’ flow policy in your Azure AD B2C Custom policy, kindly follow the below link for more details wherein the ‘B2C_1A_Demo_SignUp_SignIn_SSPR’ custom policy is used instead of the default ‘SigninOrSignUp’ starter policy: -
https://github.com/azure-ad-b2c/samples/tree/master/policies/embedded-password-reset/policy
If you use the above specified custom policy, then ensure to include the below ‘Localization’ element in the ‘TrustedFrameworkExtensions.xml’ file such that supported languages are made available in the custom policy accordingly: -
<Localization Enabled="true">
<SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
<SupportedLanguage>en</SupportedLanguage>
<SupportedLanguage>es</SupportedLanguage>
</SupportedLanguages>
</Localization>
• Once, the above localization code is made available in the ‘TrustedFrameworkExtensions.xml’ file, ensure that the below option in the image occurs for you to translate the ‘Reset Password’ to be able to display as shown below such that when selected, the respective language is available for display and resetting the password.
To know more about this, please refer the below link for more details: -
AD B2C - ui_locales not propagated from SignIn to PasswordReset
I have created a custom claim "is approved" and set it to false while users signup.
what I need to to do is to prevent users from login based on this attribute and show an error message "your account is under review please try again once the account is approved"
how can I accomplish this using B2C custom policy
also, I tried to set "accountEnabled" to false but in signup always getting account is locked error message
In the technical profile for sign in, after calling login-NonInteractive, You can try reading the user using the object id. So read the flag "is approved". If It's set to false, write a claim transformation technical profile to assert the "is approved" value and throw an error.
Claim Transformation - Boolean Assert
Use Claim Transformation technical profile in validation technical profile
One way is to use the “Paragraph” user input type that gets triggered by a precondition.
I try to build an invitation flow using custom policies.
My approach was to combine the invitation part of the WingTipGamesB2C policies with the custom policy starter pack.
The invitation seems to work fine; when using the invitation link and providing the user data (display name, password), the user is created in the Azure AD.
But I am not able to login with this user; the sign in dialog shows "Invalid username or password." (while with a wrong password "Your password is incorrect" is shown).
Using the builtin signin policy, the login works as expected.
b2crecorder shows the following log:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Using validation endpoint at: https://login.microsoftonline.com/foo.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(c693a69c-4a15-4ef5-b85d-a9a6a3f3298f) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
This looks like the same error as in this question, but should be a different problem, as the problem was the "forceChangePasswordNextLogin" flag in there, while the users that are created by the invitation should not have this flag.
I checked that the IdentityExperienceFramework and ProxyIdentityExperienceFramework apps are correctly created and permissions are granted. They are also referenced as documented in the TrustFrameworkExtensions.xml.
How can I fix this? What can I do to further debug this problem? I used both Application Insights and the b2crecorder without getting enough information about the failure.
Additional information:
* The custom signup does also not work
* Signing up/in via 3rd party IDP (Google) works
I just found out what my problem was; In the login-NonInteractive technical profile, I replaced the strange looking <Item Key="ProviderName">https://sts.windows.net/</Item> by some nice looking name, assuming that it was just some irrelevant string (e.g for the google IdP, I could use <Item Key="ProviderName">Google</Item> ...)
Well, it seems to be important. When restoring the original providername, signin works perfectly.
Just answering my own question here, as I hope this will save somebody else's time.
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
The problem can be reproduced using the custom policies described in this guide:
Get started with custom policies.
Additional information:
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
The most common reason for this that Grant Permissions has not been executed.
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
Select Grant Permissions, and then confirm by selecting Yes.
Edit:
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.
Since this is the first SO article that pops up on this question, I'll add that another possibility to check when hitting this problem is, make sure the Proxy app type is Native, not Web.