Is there any way to change the content of the SMS that user receives to his/her phone for verification code to login as a MFA in Azure AD B2C custom policies?
Related
I'm interested in whether I can configure both methods of 2FA for my app in B2C? So that a user can then choose how he wants to sign in: with MFA via SMS or via authenticator app
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
Working on a situation where the B2C user registration does not use the B2C Sign-up flow. Here the users sign up/register on the organization’s website, an Azure Function running on the organization’s Azure tenant picks up on the registration and then sends the user a notification email. The user clicks on a “Confirm your account” link on the email, this action enables the account and redirects the user to the organization’s B2C app to sign in. it was observed for a few days that signing into the B2C app after the account has been enabled is experienced delays, but it was random and no longer occurring.
Please is there any idea what might have caused this?
We have a requirement wherein we need to send SMS using AAD B2C. We are not using AAD B2C pages. We understand that by using custom policies we can use the SMS feature but how to return the control to the application after SMS generation and validation is done by AAD B2C. The UI is rendered by application.
Please help.
AAD B2C does not provide capabilities to use SMS via an API. You must use the AAD B2C pages to perform MFA or Email verification.
I have set up Azure B2C as an IdP to an application that uses SAML 2.0 for federation. Currently, the user journey takes the user to the sign-in page where they can sign in with a B2C local account. The problem is I have federated users in the B2C tenant as well and these will of course have no passwords in B2C.
When the service provider redirects the user to B2C (IdP) to authenticate, is it possible to have, a ClaimsProviderSelection (button) for Azure AD (or any social IdP) on the sign-in page so that user can authenticate with a Federated Azure AD account or a social provider account instead of just a B2C local account? My thought is this "double federation" is not possible/supported.
What are my options?
Think I've misunderstood the issue, but if you just add social providers and/or AAD, and configure your user-journey for those providers they will appear as selectable IdPs? See here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers
Unless you mean 'account linking', which is fully supported. See https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/account-linking.
The problem I had was figuring out how to link a policy I had created for sign in using Azure Ad as Idp with another I created for SAML.
I was able to resolve this by creating a custom policy signup signin user flow (call this SignUpOrSignInPolicyA) with Azure AD federation (I had initially only used built-in sign in and sign up flow with Azure AD IdP). Then in the custom policy for the signup signin user flow that uses SAML (call this SignUpOrSignInPolicyB), I added a user journey from the previous policy and also referenced it in the Relying Party tags. Something like this:
<UserJourneys>
<UserJourney Id="SignUpOrSignInPolicyA">
...
</UserJourney>
<UserJourneys>
<RelyingParty>
<DefaultUserJourney ReferenceId=SignupSigninPolicyA/>
...
<RelyingParty>
So after being redirected from the SAML app to B2C for authentication, I am now able to use Azure AD federation instead of just a local account.