We have a scenario where we need to integrate Azure B2C with one of our existing system, where the email is not a mandatory user field, we have only the mobile number of the user as a mandatory field. I am looking for ways to integrate azure B2C where i can give a username and an initial password for the first time, instead of email. And all the password reset scenarios will have to go through OTP or email, where it will be a users choice to give email to reset the password.
We are able to create the user through Graph API initially, but
stuck with creating a user-flow where it will ask the username and password instead of email and password.
You can choose Username as local account types when configuring identity providers for Azure AD B2C in the Azure portal. In your Azure AD B2C tenant, select Identity providers, select Local account, and then select Username.
Then you need to select Local Account again in your user flow.
Related
I am setting up a new Azure AD B2C directory with standard sign-in user policy. I plan to have the user accounts created by an administrator so sign-up policy is not required. My issue is that I want to return the email address created for a user account however when I test the user flow the email address is the only claim that's missing. Is there are reason for this and a way around it?
Test user account with email address populated.
IDP settings
User flow application claims settings
Claims return when testing user flow
B2C built-in user flow mainly collects the email addresses from 2 positions of the local account.
One is otherMails (Microsoft Grpah) / Alternate email(Azure Portal).
The other is the identity whose signInType is emailAddress (Microsoft Graph).
So if your local account is signed up with "User ID" option, there is no identity whose signInType is emailAddress. And if the otherMails (Microsoft Grpah) / Alternate email is also not set, there won't be any emails claim in the token.
Please update the properties I mentioned (otherMails / Alternate email or use email address to sign up / add an identity whose signInType is emailAddress using Microsoft Graph) to make them be included in the token.
I'm writing an app that authenticates with Azure B2C.
For each user that I want to authenticate, do I need to add them as a guest user in my B2C portal?
Or is there a setting that will allow my app to authenticate anyone, without having to add them as a guest user in the portal?
Adding them as guests won't allow them to authenticate.
Please see the Overview of user accounts in Azure Active Directory B2C.
Consumer account can be used for B2C authentication. But Guest account is different from Consumer account.
You can sign up external users to B2C to enable them to log in. This is exactly what B2C should do.
If you don't want to sign them up to B2C as the local account, you can Add an identity provider to your Azure Active Directory B2C tenant.
Select the corresponding idp, for example, if your external user is AAD user, you need to Set up sign-in for a specific Azure Active Directory organization; if your external user is Google account, you should Set up sign-up and sign-in with a Google account.
After you configure this, there will be additional sign-in button for those idps. You can sign in your external user directly without sign-up.
Just to amplify #AllenWu:
If you create a guest user on B2C, you are creating an admin. user of that portal.
You are not creating a user.
B2C can handle millions of customers so you don't want any help desk involvement.
So B2C has user self-service registration, self-service password reset etc.
Once they have done that, the user can sign in.
I have a requirement where we want the users to use their social accounts to login into our application (i.e. get an ID Token) through Azure B2C. I configured the Identity Provider and create a user flow for Sign in only. We don't want Users to Sign Up because that through Invitation only. When I use the "Invite User" to the live.com account and the user accepts the invitation and tries to login into the application, I get the below error.
AADB2C99002 User does not exist. Please sign up before you can sign in.
But the user is existing as a Guest User.
When I allow Sign up and the user actually does the Sign-up and then login in, it works.
Questions:
Why isn't the Guest User allowed to access the application? What needs to be done for the same to work?
If it's not possible, I don't want the user to be a "member" to avoid maintaining their credentials. I want the users to use their social accounts only.
As I don't have the requirement of self sign-up and the only invitation-based, how do I achieve my requirement?
Thanks,
Neel
Please see the Overview of user accounts in Azure Active Directory B2C.
Guest account - A guest account can only be a Microsoft account or an Azure Active Directory user that can be used to access applications
or manage tenants.
Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts
can be created by:
The user going through a sign-up user flow in an Azure AD B2C application
Using Microsoft Graph API
Using the Azure portal
Guest account is specifically distinguished from Consumer account. So Guest user can't sign into B2C application directly.
Your three questions are actually the same question: How to log in a social account without managing its credentials?
Please refer to Add an identity provider to your Azure Active Directory B2C tenant.
In order to let live.com account sign in, you need to Set up sign-in with a Microsoft account using Azure Active Directory B2C. Choose the policy type (User flow or Custom policy) you want to find the corresponding steps.
If you need your customers from other social idps such as Facebook, Google and so on, you can find the corresponding article on the left.
I am looking for powershell script to create local account users in b2c along with authentication method as email for SSPR. Could some one please advise?
That is not how AAD B2C works (although AAD does). In AAD B2C, the User Flow, or User Journey (Custom Policy), dictate what and how the user will reset the password. The default payload to create a B2C user is sufficient for a user to be compatible with a journey that forces the user to validate their email for password reset.
This is because such a journey simply reads their sign in email address and enforces they verify it.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities
I am having an issue authenticating users for a external, non-cloud ASP.NET application that is going to be secured via our B2C tenant using a simple username (i.e. not email address).
I have imported the usernames to B2C using the Graph API and set the SignInName type to be "userName" on each account. The Azure AD B2C Identity Provider is set to "Username" and I have created a sign-in policy where the identity provider is set to "Local Account SignIn" and tied it to my B2C application. If I click the "Run Now" button on the policy, it takes me to the Azure login screen and I can enter one of the imported usernames/passwords and it authenticates and routes me to the application URL. This is the desired behavior.
HOWEVER, if when I execute my external app I get transferred to the Azure B2C login screen as expected, but it requires me to enter either a valid email address or telephone number. It will not allow the local B2C username. Seems something is disconnected in the sign-in policy for the application.
Can anyone offer a suggestion why the login page will not accept the simple username?
I guees this is a bit late? perhas other are looking for this.
Azure AD B2C can be use email OR localAccount for authentication. You need to set the "identity providers" to localAccounts:
Note: in odrer to create local accounts you need to set "creationType": "LocalAccount" in the JSON to create local account users.