I have a requirement to take new User attributes for users already authenticated in Azure AD B2C. Is there any way i can force the user to provide the new attributes before logging in next time.
Assuming you are using custom policy, at the time of user sign-in, check if the desired user attribute value is not null. If it is, then you can ask them to provide the values for missing user attributes. You can also build more sophisticated logic but this should get you started.
Related
I have a web application that uses Azure AD B2C, with custom policies, for security. When I look at the user accounts in the Azure AD B2C portal, I can see an editable Employee Id field. This field would be very handy to store an internal company employee Id, but I would like to include this field as an output claim in the auth token.
I've read the various documentation about the user profile attributes that are available through the portal, etc (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes), but EmployeeId is not listed there.
Based on the documentation, I'm assuming EmployeeId is not available to custom policies, but I thought I would ask the question, anyway, to see if anyone has worked out a way to include the property as an output claim in the JWT auth token?
• Yes, you can surely include the ‘employeeId’ attribute claim in the Azure AD B2C custom policy as below to be included as an output claim in the authentication token. For that purpose, you will have to define the employee Id as a claim with the proper ‘DisplayName, DataType, UserHelpText, UserInputType’ wherein you will have to modify the ‘TrustFrameworkExtensions.xml’ as below: -
Then, add the claim to the user interface in the local account signup technical profile as below since you want the ‘employeeId’ attribute to be included as a field in the output claim under ‘LocalAccountSignupwithLogonEmail’: -
Once done, then use the ‘PersistedClaims’ to write data to the user profile and ‘OutputClaims’ to read data from the user profile within the respective Active Directory technical profiles as above. Then, include a claim in the token in the ‘SignuporSignin.xml’ file and that output claim will be added in the token after a successful user journey and then modify the technical profile element within the relying party section to add the ‘employeeId’ as an output claim as below: -
Once the above things are done, then you surely can upload the custom policy and test it through your web app for the ‘employeeID’ attribute.
For more information regarding this, kindly refer to the below links for more information: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy
Custom policies Azure AD B2C issue with read the value Employee ID of user of Azure AD
To solve this, I ended up adding a REST API call, in the custom policy, that extracted EmployeeId via Graph API. Great suggestion by #juunas.
This works well, although it would be good if EmployeeId could be exposed as a claim without the REST call as I feel this adds a point of failure to the whole Sign Up/Sign In flow.
But it works.
I'm building a web app (SPA) that is a case management system. Each user (mainly external to organisation) has a case on the system. I've been told by an architect we should be able to use Azure AD B2C to allow the users to login on this so I've been investigating this.
From what I can see I will get a token back from B2C saying the user is authenticated. What I don't understand is what use is that? Ok the user is authenticated but I have no idea who they are i.e. I will need to identify their case ref somehow so I can bring back their details...
If i was doing this in the old days when they login they'd be checked against a user table then their ID would be used to get their case details .. a token and data object would be returned from an api.. job done
I don't see how this would work in Azure AD B2C... am i missing something?
The JWT that is returned contains a configurable set of claims.
You can use these to identify the user. Typically, this would be email or UPN.
In your case, you need a userID. If this isn't one of the supported attributes, you can use an extension attribute to store it.
B2C can also call an API (if you use custom policies) so you could call an API to get the userID from e.g. a table and then return it as an extension attribute in the JWT.
I have created Azure B2C Sign-In and Sing-Up policy as Built-In policy. Where i need to collect User First Name, Last Name and Country information.
Above built-in policy support below two identity provider login..
We need Country attribute information only when local User sign-up very first time. But as we have made Country as mandatory attribute, so it is coming for Azure AD user as well when they login very first time and we don't want to collect any country information for Azure AD users login.
How can we handle this scenario that within Single Built-In policy handle mandatory attribute differently.
Not able to get any thought though whether this will work using custom policy or not. Because User needs to login either sign-in/Up over login page by using above two Identity Providers.
I am in the process of setting up Azure AD B2C and including an API connector in the profile creation. I use the policy Sign up and sign in from the user flows. Now I want to add a user attribute I created myself. This should not be visible under User attributes (the user should not fill this field himself) but should be filled by the API and returned under Application Claims and in the token. Is this possible with the user flows? Or is this currently only possible with the Custom policies under Identity Experience Framework?
Thanks for your answers
The way to do this with Azure AD B2C user flows would be to use JavaScript to hide the field so that is not visible to the user even though it is selected as an attribute in the user flow.
A similar approach is user to enable captcha while signing up as well in this sample - https://github.com/Azure-Samples/active-directory-b2c-dotnet-sign-up-user-flow-captcha.
Here is the official documentation for using JavaScript in user flows - https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout.
Is it possible using Graph API or similar to automatically add users to a security group in Azure B2C?
The background is that during an Azure B2C user journey for signup/sign the user will access an application after successful authentication. But I would like to role assign based on the security group the user is a member of.
Therefore if a new user signs up, they could be defaulted to lets say "DefaultUsersGroup" and this will be present in their token thus giving them default access to the app. Otherwise if an existing user signs in, this will perform some logic to determine the group the user should be a member of and then grant them access dependant on their membership.
Thank you.
You can do this by introducing your own REST API/s during your user journey. Your API should then call MS Graph API to do the Group+Role assignment, and on sign in, the Role resolution based on group membership.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange
This sample may also help
https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac