The temporary password from the Azure portal when you manually reset a user password does not seem to work on the "Sign in v2" user flow, it does, however, work on the "Sign in" user flow.
I assume this is a bug since the v2 flow is still in preview.
Both user flows are under the same domain.
Is this a known issue? I was not able to find any information in the fast-developing Azure world.
The password reset through Azure Portal against a B2C Local Account is not supported for any flow, except the old Sign In flow. This is referred to as ForceChangePassword.
Related
I am implementing a passwordless signin experience for local B2C account users with MFA credentials through Azure B2C custom policies. I am using AzureMfaProtocolProvider with a custom attribute stored phone number as an sms MFA option, and OneTimePasswordProtocolProvider with a custom attribute stored email as an email MFA option. When I initiate a login, the first step us username retrieval. The username is used to read the mfa options from AD and then presented to the user as options. Once they select an option, a code is sent and they must successfully validate the code from one of the MFA options to issue a token to the application. This works great, however I noticed that Active Directory does not store and log a "sign in" in the signin logs (https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins). Per the document, MFA challenges should generate a signin log but it seems that MFA challenges with these protocol providers (AzureMfaProtocolProvider/ OneTimePasswordProtocolProvider) are not sufficient.
I am concerned that we will miss inherent Active Directory risk tracking without "sign ins" being generated. I am also operating with a business requirement to see those logs generated for auditing purposes.
As a work around, I am adding a psuedo password to user accounts on creation and then faking a login with the "login-NonInteractive" technical profile, which validates the credentials in AD using OIDC. This successfully generates a signin log but it seems hacky. My question is what is the recommended approach to generate a signin log in Azure AD with a passwordless solution?
what is the recommended approach to generate a signin log in Azure AD with a passwordless solution
For this scenario, you can implement magic link in this web application user can click login button and then user is redirected to identity provider in azure ad b2c.
Now in custom policy page user can select the magic link option to authenticate and user has to provide the email address and continue azure ad b2c will send a request to magic link web application and then this web api responsible to generating the magic link which we sent to the user mailbox.
For more information in detail, please refer below links:
samples/policies/sign-in-with-magic-link at master · azure-ad-b2c/samples · GitHub
https://github.com/azure-ad-b2c/samples#multi-factor-authentication-enhancements
We are using signup/signin builtin user flow and want to combine the "forgot password" part into this flow though sspr https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow#self-service-password-reset-recommended
However, the sspr bottun unable to click in user flow property and show a line at the bottom "sspr currently unavailable to support combind local account", am I using the wrong account or APIM needs to do some conf?
I have searched a while and there is no similar case. Has anyone encountered the same problem?
Please check if below are the causes:
Note : In a sign-up and sign-in journey, a user can reset their own
password by using the Forgot your password link. This ability to
reset passwords only apply to local accounts in Azure Active Directory
B2C (Azure AD B2C) i.e; you can only reset your password if you
signed up using an email address or a username with a password for
sign-in .
In case of azure ad, users of SSPR requires one of the following licenses: Azure AD
Premium P1 or P2, Microsoft 365 Business, or Office 365. If you have
a hybrid environment, you also need password writeback into your
on-premises AD. In this case, you’ll need Azure AD Premium P1 or P2
or Microsoft 365 Business.
You may not be able to see password reset menu option if you don't have an Azure
AD license assigned to the administrator performing the operation.
Please check out below references:
Troubleshoot self-service password reset - Azure Active Directory | Microsoft Docs
Frequently asked questions (FAQ) for Azure Active Directory B2C | Microsoft Docs
Azure AD B2C Password Reset - Stack Overflow
I need to be able to get an identity/access token to a backend API for a native client, where the native client must use native UI to collect username and password.
I want to use Azure AD B2C but I cannot get clear, explicit info if the Resource Owner Password Grant flow is supported. Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
Azure AD B2C does not support the "Resource Owner" password grant yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.
Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
You can use the Azure AD Client Credential Flow to obtain a token. See this SO Post.
ROPC might be the right OAuth Flow for you, but before you start using it, you might want to check out this blog post:
Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications.
Resource Owner Password Credential flow is now supported in Azure AD B2C.
Do note however that confidential client flow, where the application secret is verified, is not supported.
I am having an issue authenticating users for a external, non-cloud ASP.NET application that is going to be secured via our B2C tenant using a simple username (i.e. not email address).
I have imported the usernames to B2C using the Graph API and set the SignInName type to be "userName" on each account. The Azure AD B2C Identity Provider is set to "Username" and I have created a sign-in policy where the identity provider is set to "Local Account SignIn" and tied it to my B2C application. If I click the "Run Now" button on the policy, it takes me to the Azure login screen and I can enter one of the imported usernames/passwords and it authenticates and routes me to the application URL. This is the desired behavior.
HOWEVER, if when I execute my external app I get transferred to the Azure B2C login screen as expected, but it requires me to enter either a valid email address or telephone number. It will not allow the local B2C username. Seems something is disconnected in the sign-in policy for the application.
Can anyone offer a suggestion why the login page will not accept the simple username?
I guees this is a bit late? perhas other are looking for this.
Azure AD B2C can be use email OR localAccount for authentication. You need to set the "identity providers" to localAccounts:
Note: in odrer to create local accounts you need to set "creationType": "LocalAccount" in the JSON to create local account users.
I have used Azure AD B2C sign-in and sign-up policy for user login and signup process with Multi factor Authentication. Also set password resetting policy.
Everything is working fine with Phone factor (MFA).
Now client wants to add security questions while signing up a user and password resetting.
I have enabled security question and selected 5 questions; however, it's not visible while signing up a user and password resetting.
I am not able to understand what is the exact problem.
Based on the official documentation, Azure AD B2C only supports using a verified email address as a recovery method.
Currently, we only support using a verified email address as a
recovery method. We will add additional recovery methods (verified
phone number, security questions, etc.) in the future.
In addition, Azure AD B2C only supports phone call and text message verification for Multi-Factor Authentication(MFA).
Azure Active Directory (Azure AD) B2C integrates directly with Azure
Multi-Factor Authentication so that you can add a second layer of
security to sign-up and sign-in experiences in your consumer-facing
applications. And you can do this without writing a single line of
code. Currently we support phone call and text message verification.
More information about MFA and password reset for Azure AD B2C, please refer to the following links.
Azure Active Directory B2C: Set up self-service password reset for
your consumers
Azure Active Directory B2C: Enable Multi-Factor
Authentication in your consumer-facing applications