Would like users to sign-up without email verification(There is an option to disable this in B2C GUI) and an email should be sent with a link that users can click to activate the account. Doesn't look to be possible out of the box. Is there a way to accomplish this while also making sure that the email activation is secure and not prone to brute force attack?
These some example code here.
The repository also contains a good write-up "Implementing an invitation flow" which will help.
The security requirement is achieved by using a signed JWT to transfer the claims.
Related
We have below requirement:
We are creating B2C users (with random password) using Graph API from our Asp.Net Core Web API.
We want to send welcome email to the user along with some link so that user can directly launch the "Password Reset" page and then can login to his application after setting the password.
As per my research, Different Solutions and their cons:
User login and follow the forgot password journey from login but that's bit annoying for new users. How would they know that they have to follow forgot password journey on 1st login.
Implement "Forced to reset password on 1st Login" policy - but for this policy, user should know his initial password.
Using REST API - we can't use REST api in custom policy as we are creating user using Graph API.
Is there any better way to send email to user on creation(using graph API)?
Any help is much appreciated.
Thanks in advance,
Anu
You can send out an "invite" link via email after creating the account via Graph API, which, when the user opens from their inbox, they can use it to set a new password at AAD B2C, and are immediately logged in to the app once completed (or you can do other things in the journey if you like).
This uses the id_token_hint concept demonstrated here.
Using Azure AD B2C with 'Email' specified for the user id.
I've tested the 'Sign up' and 'Sign up v2' user flows in Azure AD B2C. Both of these require the user to verify their email address by sending/entering a verification code. I've enabled MFA for both of these flows, so the mobile number needs to get verified as well.
The product guys have asked if its possible for email verification to be done asynchronously e.g. an email getting sent to the user, but they can verify this (e.g. via a hyperlink in the email) in their own time without having to enter a verification code during the registration process. Is this possible?
FYI. I think the reasoning from the product guys is that MFA via SMS to their mobile is enough. Multiple verifications (i.e. for email AND mobile) is a bit too much in terms of the UX...
One potential solution.
It's possible to disable email verification:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-disable-ev
Can then do and then do external orchestration to send async email. When they click on the link, we can update the verification status via MS Graph API. Don't love this solution, but it's an option...
I am using Azure AD B2C as the authentication solution for a Dynamics CRM Portal application. So far, B2C allows customization of the sign-up experience, which i have done to customize the look and feel of the signup/signin page but I don't see any option to incorporate a CAPTCHA.
Is there any way of detecting and blocking robots during AD B2C Sign Up process ?
Other than reCAPTCHA, is there any other bot protection mechanism that can be used on the B2C Sign Up page ?
The email verification that, by default, is required during the sign-up process is meant to prevent bots from creating fake users.
As Javascript is not yet available using CAPTCHA would not be possible. Also the standard fallback for these services "iFrames" would also be stripped by the B2C UI. However it does use the standard AAD account lockout password policy
"After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time"
I would like to pre-register a limited number of users which can use my application.
This are the requirements:
Users should be able to reset their password on their own
No other users than the preregistered users can sign up
Ideally, the user can choose the login email address by himself (no #app.onmicrosoft.com login).
Now I'm having trouble to have all requirements fullfilled together.
I was able to preregister #app.onmicrosoft.com users in the Azure Portal. But since the user can't get emails on #app.onmicrosoft.com, a password-reset-policy would not make sense. I tried to specify alternate-email and a phonenumber in the user-profile, but unfortunately the password-reset-policy is not using it for verification.
Let's say I create a sign-up policy: This is nice - the user choose his own email. Password resetting would also work. However, I can't control who's signing up and getting valid access tokens. In the portal, under Enterprise Applications, I found my registered application (All Applications) where I can set an option "User assignment required?" to true. But this does not seem to work in the B2C context, right? I expected, that until I assign a user to this application, the user is not getting a token on sign-in, but this wasn't the case. Here I found a similar question about creating users. Any advice on creating users including passwords etc. using Microsoft Graph (since it's recommended to use it over Graph API)?
I also tried to invite users as guests. They have to create a microsoft account, resetting passwords would be solved through microsoft, but unfortunately, no redirect to microsoft login happens after entering the microsoft account email address.
Deleting the signup policy after initial registration is a bad option if more users have to be onboarded.
Ideally, I would like to preregister users as if they signed up by their own - but with no signup policy.
Any advice? What do I miss?
You can implement the activation/invitation scenario that is described here and implemented here.
This scenario activates/invites a new user by creating/pre-registering a local account in the Azure AD B2C directory through the Azure AD Graph and then sending a signed redemption link to the email address for this local account.
This redemption link directs the new user to the Password Reset policy.
Currently creating users in a B2C tenant with a "local account" is not supported in Microsoft Graph. For this you'll need to use Azure AD Graph for now (see creating a user with a local account). Please see this blog post for details and line item 12 in the table.
We hope to add this capability as soon as we can to Microsoft Graph.
Hope this helps,
I have a system where users are created in backoffice by admins(user with special role). Password reseting for users is also Admin's responsibility. This functionality is implemented using Graph API.
Users log in to their accounts using usernames(local account Id).
For this purposes I use B2C tenant with "sign-in" policy . The problem is that there is a password reset link => "Can’t access your account". By clicking on this link, users get Microsoft's out-of-the-box password reset process. I would like to delete this link to disable some extra actions, but I found no way for this.
1. Is it possible to delete "Can’t access your account" link in B2C sign-in policy?
B2C sign-in policy is not fully customizable. Microsoft site says that for the purposes of fully customize I need to use "sign-up or sign-in policy". But looks like I can not use local account id in "sign-up or sign-in policy".
2. Is it possible to use fully customizable UI without providing sign-up functionality to users? I mean is it possible to use sign-up or sign-in policy as a sign-in policy only with usernames(not emails)?
You can use a local account in sign-in-or-sign-up policy.
The fully customizable experience is within the sign-in or sign-up policy.
Everything is thoroughly described in the docu here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
There is even an excellent example here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization-helper-tool
using the sign-in or sign-up policy you can not only remove the password reset link. But can also disable password reset from the policy itself.
With the basic Azure B2C I dont think you can control this, Azure B2C are just rolling out the ability to create custom sign in journeys which will allow you to change everything, call extra rest APIs , implement alternative IDP's
In the last few days my UI has changed and they have just released documentation on custom journeys so that is a good place to start
As an alternative and i dont know its possible you could try using a custom UI theme on the Signin policy and then use javascript to hide the link