I have a signup policy setup to redirect to my web app, and my web app reads the claims to collect information about a user. Two users in my application were having sign-up difficulty. When there's a signup error my application writes all the claims to a log. The claims of these two users did not match the Output claims of my sign-up policy, they were missing a lot of claims. After some investigating in Azure I noticed in the Audit Logs of those two users there was:
Add User
Issue token(sign-up policy)
Issue token(sign-up policy again)
For both users this second token issue happened 30-45 seconds after the initial issue. Every other account I check only has the first two(Add and issue once). It's not possible for the user to sign-up twice, so why would it issue a second token? When I look at the error log the claim "iat" is from the second token. What would trigger a second issuance? Or what might stop the first token from reaching my application?
Thank you in advance.
Related
We are using Azure Active Directory B2C to authenticate users into our app, we use a user flow to let the user enter their credentials. after receiving the access token from azure we generate an app token that contain app related information.
we recently added the keep me sing in feature but it seems that there is no way to know in the response if the user has checked it or not? even the returned access token still expires after 60 minutes. this causes a problem for us since our app logs-out the user automatically after the token time's out. but if the user choose to stay signed in we want to stop this behaver. SO how can we tell if the user checked the keep me signed in?
I've read a lot in Microsoft docs and searched a lot with no luck to find a way!
the one thing I found was a KMSI attribute but it can only be added in custom policy's. witch is kinda hard to do now.. is there a way to get such an indicator from the user flow?
You can get the KMSI Boolean in the token using custom policies and claims resolvers.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
However, this shouldn’t be needed in your scenario. When access token expires, the refresh token is used to redeem a new access token. If the refresh token is expired, then the B2C cookie is used to perform single sign on via the B2C login page.
The user is only logged out if all of the above are expired/invalidated.
More to read here What does KMSI in Azure B2C actually DO?
Quite new to B2C and have setup custom policies which did seem to be working ok.
Since adding the reset password functionality: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
I have found that local user accounts can sign up and it will sign them in but will not let them log in again.
Same happens for resetting the password. It all goes through the user can log in and then on next login it doesn't accept the creds.
B2C audit logs shows the password reset as a success... not sure what I am missing?
EDIT: I checked on another tenant I was testing on which I had not setup the password reset yet and have the same issue with local user account creation.
The only piece that is different to the examples is that I have multi-tenant azure AD idp setup.
Any help will be much appreciated
Sounds like you did not complete the setup for the proxyief and ief app registrations correctly. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Delete your proxyief and ief app registrations, then use my tool to reprovision them: https://aka.ms/iefsetup
After reprovisioing, test after a few minutes.
It will overwrite your custom policy files, so download them back and setup the AAD multi tenant technical profile again afterwards.
Application ID's needed to be added to the technical profile of trusedbaseextensions file for non interactive logins.
Application ID's for both app registrations mentioned.
About the sample "https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation".
Someone who has already used it, can you comment on how you handled the authentication logs? I noticed in the B2C Logs both the user who is "Impersonated" and the user who is "Impersonator", I did not find any records that indicate that there was an "impersonation" process.
The Token generated in this process is for the "Impersonator" user, and has information about him, is it possible to bring information about the "Impersonated" user?
There will be nothing official in the logs generated by AAD B2C for this impersonation, and AAD B2C does not know the context of your AAD B2C policy. It can only understand that a token is issued for a particular user, not a custom process that allowed it.
What you can do is use App Insights to inject your own custom events to create logs.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/analytics-with-application-insights?pivots=b2c-custom-policy
We have a scenario where a logged-in user (SFA, authentication has been done by Azure policies) needs to do some high-value transactions.
To allow this, we need to throw an additional authentication challenge. (MFA)
If the user access was successful we need to enrich the token somehow to read in on the client-side.
Tried to use scopes for this scenario but as they set per application couldn't make it happen, any thoughts on how it can be implemented in Azure b2c?
Thanks
The usual approach is for the application to look at the "acr" claim. This claim tells the app which B2C Auth policy the user has last arrived with. Therefore, in your app implement this logic:
User clicks high risk item
App checks current token "acr" claim
If acr != "B2C_1_MFA", then redirect the user to authenticate via a sign in/up policy that has MFA enabled
You need to create a sign in/up policy with MFA enabled and the above logic to get this to work. The App only needs to know about the policy name to know if the authentication challenges have been satisfied.
If the user has already logged in when this B2C policy is executed, the built in Single Sign On will skip the user having to enter their credentials again, and instead will just need to complete the MFA step.
As you probably know, I am creating a multi-tenant azure application, which is using the B2B functionallity.
I am testing the B2B functionality and after some research I got a working sample.
Small summary: User authenticates against common authority, first token is acquired via common authority with the authorization code and from then, everytime I need a service client, I try to obtain those tokens from the 'current tenants' authority.
When I request 'Me', it only works against the home tenant. When I request me with a trusted tenant, I got an error that my user identifier does not exist in the directory. Probably because user does not actually exist in the trusted tenant.
When I request Users, it works fine. I can get both, home tenant users and trusted tenant users.
Is this normal behaviour?
Is this something I need to handle programmatically or would this been solved by using the AD graph?
(So when I know I need user info, just query the home tenant?)
Or is this a bug?
Any thoughts on this would be greatly appreciated!
Guests added to a directory via the B2B Collaboration feature will not work correctly on multi-tenant apps or the Microsoft Graph if you're using the common endpoint.
The common endpoint will always authenticate the user against his/her home tenant, not against any tenant where (s)he is a guest.
In order to successfully query /me for a guest, you'll need to have them sign-in through the tenant specific endpoint for the tenant where they're a guest.
See my answer to this other post for a more in-depth explanation / context:
Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?
I have noticed that when you want to switch between tenants, you need to re-authorize against the current tenant.
I got it working this way:
1. First sign-in needs to be done against the common endpoint.
2. Every time I need a token for certain resource, I try to get the token silently.
=> This can throw 2 different AdalSilentTokenAcquisitionException
Nothing found in cache, also no refresh token found
=> In this case, I redirect the user to the login page again.
When you switch between tenants, and it is the first time you want to login using a tenant where you've been trusted, you can get a error like: User or admin should be given consent for this application. Although the admin from his home tenant has added the application in the directory for the home tenant. Anyone who knows why this consent is needed? So tenant A and tenant B admins have both been given consent. Why does a trusted user from B in A still needs to consent someway?
I was able to trigger the consent flow by redirecting the user to the authorization request URL.
So when I got an AdalSilentTokenAcquisitionException, and the error code is "failed_to_acquire_token_silently" then I had to redirect the user to the URL generated by the authContext (authenticationContext.GetAuthorizationRequestUrlAsync) when the cache had been cleared, no refresh token will be found, then redirect the user to resign.