We have a .net core Web api which is using Azure AD B2C for Authentication and Authorization.
By default Azure trims any space the user enters before or after the password in the blue login page.
There is a requirement from our clients that they don't want the the space to be trimmed (meaning if the user enter extra space before or after password, they should be shown "Password is wrong")
I wanted to know if there is any way to achieve this in custom policy.
Using the custom policies you can achieve this. Azure AD B2C supports configuration options to control the complexity of passwords that customers can use. You can define password complexity by using DisallowedWhitespace predicate element
<Predicate Id="DisallowedWhitespace" Method="MatchesRegex" HelpText="The password must not begin or end with a whitespace character.">
<Parameters>
<Parameter Id="RegularExpression">(^\S.*\S$)|(^\S+$)|(^$)</Parameter>
</Parameters>
</Predicate>
Please refer the document
Related
I need to configure a SignIn (no SignUp) custom policy on an AAD B2C tenant, but I'm lacking the experience of the IEF to design/develop and test it properly. The policy should read (logically) as follows:
Present UI to user to enter email only (using a self-asserted TP?)
Use custom logic to determine whether the user represents a local account or to any of the known clients of ours. A single client could have multiple possible domains to be authenticated in the same IdP. The only option I know for doing this step is an external REST service, but this is something I would like to avoid if there is any other option to include custom login running inside the custom policy engine, using C#, JS, or event a simple dictionary from email domain to IdP domain.
Depending on the IdP automatically selected in step 2, branch to different journeys where the user will be sign-in
For local-account sign-in journey, the user will need to use MFA if he/she belongs to admin group. Only email, DisplayName, FirstName, LastName and UserId are needed as final claims.
For other IdPs I would have to add ClaimProviders and sub-journeys to allow for signing the users in
Finally the JWT Token should be issued to the relying party.
No storing back to AAD storage is required because there is no sign-up process. User are created from the application and invited (if local account) or already exist in their corresponding IdPs.
The wording you should look into is "home realm discovery".
There is a custom policy example on GitHub. However this example requires the application to provide the email hint. You need to extend it in a way that captures the email in a self-asserted step.
For scenarios where you need to implement a sign in journey, where the user is automatically directed to their federated identity provider based off of their email domain. And for users who arrive with an unknown domain, they are redirected to a default identity provider.
In this example, users who enter an email with the suffix contoso.com, they will be redirected directly to their federated identity provider to sign in. In this case that is Azure AD (SAML2).
Users who enter an email with the suffix facebook.com, they will be redirected directly to their federated identity provider to sign in. In this case that is Facebook (OAuth).
Where a user comes from an unknown email suffix, they will be redirected directly to a default identity provider, in this case that is Azure AD (OpenId).
This is another sample.
It first asks for the domain and then redirects to the appropriate IDP.
To add IDP, refer to this.
For MFA, start with the MFA starter pack.
I have set up a custom b2c policy in order for users (specific clients of ours) in specific Azure AD tenants to log into a Portal without having to explicitely sign up first (they can log into the Portal via b2c using their whitelisted AD account).
I wanted to make this happen using basic userflows but as far as I know AD multi tenancy is only possible with custom policies but that's a seperate issue entirely.
What I want to do now is to take the user's attributes as they are set in their AD client (phone number, etc) and add those to the claimsbag in the sign up userjourney so that they will persist in the b2c tenant as well (and in turn map those again to the client contact in the Portal).
I have read up on enriching tokens a lot, as well as using custom attributes but so far I have not been able to find how to actually get the already existing data from the user's AD account and transfer that to the b2c account as it is created on sign up.
Maybe I need to use the Graph API to do this but I have no experience in using APIs to retrieve that data from a user (would need rights and consent as well of course) and more importantly, I don't know (yet) how I would implement/call an API in a userjourney.
If anyone can guide me in the right direction that would be very much appreciated!
If it turns out I can give specific white listed AD users (from different AD tenants) access to sign up to my b2c tenant and import data like (mobile) phone numbers from those users' AD accounts then that would of course be absolutely fantastic.
In terms of code: I am using the XML files (and thus also the user journey) from the local and social starter pack, removing the social login options from the Extensions file, adding only a multi tenant AD claimsprovider (as instructed by MS docs), and removing only some output claims in the self asserted social technical profile in order to hide the data that I am able to import and persist from the user during sign up (name, username, and alternate email (which is also the userprincipalname for some reason)).
As per this, you configure the optional claims that you want to pass from Azure AD.
Then as per this, you map these claims to the B2C equivalent.
e.g.
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
On the Azure AD side, you selected "family_name" and "given_name".
On the B2C side, the right-hand side of the mapping is the Azure AD name. The left-hand side is the B2C name.
So "family_name" maps to "surName" in B2C, and you can now use this claim in your user journey.
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..
I have a web application that authenticates with my B2C tenant with MFA turned on at the Sign-In Policy level [at this point MFA is disabled at User Level] and the policy is configured to use "username" to login. The application works fine and the user is able to login ... What I am trying to accomplish is to have MFA at user level meaning only certain users will be able to use MFA while others will be able to login without MFA.
The problem that I am facing is, when I turn on MFA at User Level and turn off MFA at Sign-In Policy level
mfa at user level
after the first password authentication screen the redirect to multi factor authentication screen where it asks the user to send code to is failing. Instead it is going back to the first password authentication screen and seems to be in a loop. When both MFAs are turned off, it works fine with the password authentication and user is able to login to the application. When both are turned on, it’s the same behavior where it goes back to the first password screen in a loop. Am I missing something here, or is it even possible to do this
Azure AD B2C does not have out-of-the-box support for user-level MFA.
The UI you referenced is from enterprise Azure AD, and while it shows up for Azure AD B2C as well, as you've noticed, won't work.
The best approximation to what you are looking for is having two policies, one with MFA and one without MFA. You would have to implement your own mapping table and for users through the appropriate policy.
I have used Azure AD B2C sign-in and sign-up policy for user login and signup process with Multi factor Authentication. Also set password resetting policy.
Everything is working fine with Phone factor (MFA).
Now client wants to add security questions while signing up a user and password resetting.
I have enabled security question and selected 5 questions; however, it's not visible while signing up a user and password resetting.
I am not able to understand what is the exact problem.
Based on the official documentation, Azure AD B2C only supports using a verified email address as a recovery method.
Currently, we only support using a verified email address as a
recovery method. We will add additional recovery methods (verified
phone number, security questions, etc.) in the future.
In addition, Azure AD B2C only supports phone call and text message verification for Multi-Factor Authentication(MFA).
Azure Active Directory (Azure AD) B2C integrates directly with Azure
Multi-Factor Authentication so that you can add a second layer of
security to sign-up and sign-in experiences in your consumer-facing
applications. And you can do this without writing a single line of
code. Currently we support phone call and text message verification.
More information about MFA and password reset for Azure AD B2C, please refer to the following links.
Azure Active Directory B2C: Set up self-service password reset for
your consumers
Azure Active Directory B2C: Enable Multi-Factor
Authentication in your consumer-facing applications