I would like to store both, an email address and a phone number for MFA in Azure AD B2C and found the properties above. However, when writing one of the attributes, the other one seems to be getting purged. Unfortunately, I found very little information about MFA attributes in AAD. Any Idea on how to handle this?
These two attributes are protected attribute and inaccessible with Graph API, hence lack of public docs. With AAD B2C, you will write to these attributes within a User Flow when the user signs up with a Username (strongAuthenticationEmail), or enrols for MFA (strongAuthenticationPhoneNumber). But these cannot be read/write by Graph API by you.
If you use Custom Policies, you have full control over where you store the data, in the case where you need to feed in these attributes/prepopulate, or require an Admin pane to manage these attributes outside of the B2C Policy execution, simply use an extension attribute instead and configure the Custom Policy to R/W from the extension attribute, rather than the mentioned protected attributes.
Related
I have a web application that uses Azure AD B2C, with custom policies, for security. When I look at the user accounts in the Azure AD B2C portal, I can see an editable Employee Id field. This field would be very handy to store an internal company employee Id, but I would like to include this field as an output claim in the auth token.
I've read the various documentation about the user profile attributes that are available through the portal, etc (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes), but EmployeeId is not listed there.
Based on the documentation, I'm assuming EmployeeId is not available to custom policies, but I thought I would ask the question, anyway, to see if anyone has worked out a way to include the property as an output claim in the JWT auth token?
• Yes, you can surely include the ‘employeeId’ attribute claim in the Azure AD B2C custom policy as below to be included as an output claim in the authentication token. For that purpose, you will have to define the employee Id as a claim with the proper ‘DisplayName, DataType, UserHelpText, UserInputType’ wherein you will have to modify the ‘TrustFrameworkExtensions.xml’ as below: -
Then, add the claim to the user interface in the local account signup technical profile as below since you want the ‘employeeId’ attribute to be included as a field in the output claim under ‘LocalAccountSignupwithLogonEmail’: -
Once done, then use the ‘PersistedClaims’ to write data to the user profile and ‘OutputClaims’ to read data from the user profile within the respective Active Directory technical profiles as above. Then, include a claim in the token in the ‘SignuporSignin.xml’ file and that output claim will be added in the token after a successful user journey and then modify the technical profile element within the relying party section to add the ‘employeeId’ as an output claim as below: -
Once the above things are done, then you surely can upload the custom policy and test it through your web app for the ‘employeeID’ attribute.
For more information regarding this, kindly refer to the below links for more information: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy
Custom policies Azure AD B2C issue with read the value Employee ID of user of Azure AD
To solve this, I ended up adding a REST API call, in the custom policy, that extracted EmployeeId via Graph API. Great suggestion by #juunas.
This works well, although it would be good if EmployeeId could be exposed as a claim without the REST call as I feel this adds a point of failure to the whole Sign Up/Sign In flow.
But it works.
I have created Azure B2C Sign-In and Sing-Up policy as Built-In policy. Where i need to collect User First Name, Last Name and Country information.
Above built-in policy support below two identity provider login..
We need Country attribute information only when local User sign-up very first time. But as we have made Country as mandatory attribute, so it is coming for Azure AD user as well when they login very first time and we don't want to collect any country information for Azure AD users login.
How can we handle this scenario that within Single Built-In policy handle mandatory attribute differently.
Not able to get any thought though whether this will work using custom policy or not. Because User needs to login either sign-in/Up over login page by using above two Identity Providers.
I'm evaluating Azure B2C but can't work out whether it will be fit for the following scenario:
We have a single UI and and a single Web API. The API has two scopes defined: read and write.
The UI has two types of users: standard and admin. When a user logs in and gets an access token they both get a read scope but only an admin user should get write.
From what I've read Azure B2C doesn't support group based application, but is it possible to hook in to the token generation (e.g. a Function) and add a custom scope programmatically? I was thinking that if I can call a Function then this could check something to see if they should have the write scope added.
Thanks
Scope o scp claims cannot be manipulated in B2C. However you can use custom policies and add (in a base policy) and output (in your relying party policy) a roles claim type so what your webapi do role base authorization (.NET core sample here). You can fill the roles values from the output claims provided by any technical profile which in turn relay on any configured Idp, AAD or even REST apis).
Our solution require a custom user attribute to be available for Graph API post/get operations and to be exposed with claims in the JWT for user user-in.
I have configured a custom policy with for Local Account.
The template files were downloaded from and the only changes made is to add a new custom user attribute that is available for Azure AD read/write, persistent storage, claims output.
I added the policy files to a public repo here:
https://github.com/frode/azure-ad-b2c/tree/master/LocalAccountSignIn
The extension_tenantId attribute becomes available for Graph API operations, setting value and retrieving it works fine, however the attribute is never exposed in the JWTs claims section as we intended.
Can User flows and custom polices be used together or is that the problem that we have defined a user flow with the same name as the custom policy?
/Frode
Was able to spot the issue in our configuration today.
src/Policies/LocalAccount/TrustFrameworkExtensions.xml was missing the IdentityExperienceFramework app registration & GUID value.
Regards
Frode
Is there any way to add a custom role attribute (that the user cannot edit) to a B2C custom policy?
I have found this and this resource that show how to add a custom attribute, but it seems they add attributes that the user can edit. I wish to have a custom role or admin attribute that only administrators of my app in Azure can edit inside the Azure B2C interface. I also want the attribute included in the jwt access token that is brought down when users log in.
I am specifically looking to define application roles which can be assigned and edited through the B2C interface and not classic Azure AD. I am under the impression that this can be done through custom policies though I may be mistaken.
It depends a lot on how you plan to assign role to user in your system.
This answer summarizes three approaches you can potentially take. If you can enhance your question with what kind of roles are you looking for and how do you plan to assign them, you can get better responses.