I'm using Azure AD B2C and we've been presented with a preference/requirement from our product team to allow users to sign up/in using either an email address OR a mobile phone number as the user id.
Currently the built in flows only allow email or username as the user id. There's strong evidence to suggest that we could create a custom policy to allow for mobile phone number, but what I need is the ability to sign up/in using either email address OR mobile phone number.
It seems like I'm not the only one requesting this functionality. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334314-phone-number-sign-up?page=2&per_page=20
Just wondering if there's a way to achieve this using custom policies, and if so; any demos/links that explain how to do this...
[Edit]
User journeys
Web app sign-up:
User enters email or mobile
MFA to email or mobile (whichever was entered)
Authenticate code sent to user
Set password.
IDP done
Back in app, might capture email or mobile (whichever was not captured in IDP) and update B2C via MS Graph API.
Native mobile app sign-up:
User enters mobile
MFA to mobile
Authenticate code
Set password.
IDP done
Back in app, might capture email and update B2C via MS Graph API
Web app sign-in:
Sign in using either (mobile or email) and password.
Native mobile app sign-up:
Sign in using mobile and password.
Use refresh token most of the time instead of explicit sign-in.
You are able to implement this with two custom policies:
A sign-up or sign-in policy that allows sign-up for a local account using a phone number and sign-in for a local account using an e-mail address or a phone number.
A linking policy that allows linking of an e-mail address to a local account that has been registered using a phone number.
I've published the following custom policy samples to this GitHub repository:
phone_sign_up_any_sign_in: Sign-up for a local account using a phone number. The end user is prompted for verification of the phone number. An e-mail address can be linked to the local account using the email_linking policy. Sign-in for a local account using an e-mail address or a phone number. If the e-mail address hasn't been verified, then the end user is prompted for verification of the e-mail address. If the phone number hasn't been verified, then the end user is prompted for verification of the phone number.
email_linking: Linking of an e-mail address to a local account that has been registered using a phone number. The end user is prompted for verification of the e-mail address.
Related
I am struggling to get my head around how to implement a custom policy for the following flow:
User lands on the login page and that login page only contains an email input.
User enters email address and clicks continue
if user has already registered
Redirected to their selected login provider (Google, Microsoft Account or Local Account)
if user has not registered before
Check google provider if a user account exists for that email address
if Google account exists
Redirect to Google login
Check Microsoft provider if a user account exists for that email address
if Microsoft account exists
Redirect to Microsoft login
else
Redirect to registration screen
User completes registration screen
User is automatically logged in
The user
I've investigated whether this can in fact be done and I've found a "digital workspace for visual collaboration" (a.k.a Mural.co) that does in fact implement a similar flow, so this has to be possible. See the pictures below.
I'm, however, unable to find information on
how to query the social providers for account existence
how to go about creating this complex type of flow in Azure AD B2C custom policies.
Any pointers in the right direction would be greatly appreciated
Not possible. Nobody would allow you to probe a social IdP for an email. Data protection etc.
Reference our samples and wiki
Your sign up would be from our default sign up journey.
Your sign in flow could work like this:
Request for email
Read the directory to see if an email exists
If email exists, send the user to the IdP they used to sign up. You can do that by looking at the “issuers” registered on the userIdentity object,
If email doesn’t exist, send the user to the combined sign in and sign up page (technical profile) where they can sign in with social or sign up with a local account. Hide the sign in elements with CSS.
Is there a way to create a link/URL that directs to the password reset policy, but skips the email verification part (directly to entering the new password), by implanting some kind of token to the URL?
e.g. https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_password_reset&client_id=...&email=myemail#gmail.com&signature=....
(By verifying the signature field, the user flow will let me skip email verification, and use the email from the email field instead).
The reason I need it, is because as part of a migration process from an old system that doesn't use Azure B2C to a new system that does, we want to migrate users by creating an Azure AD B2C account for them via Graph API with an obscure password, and then send them an email that would direct them to the password reset policy.
Once they click on the link that was sent to their email, it would be redundant to ask them to insert and verify their email.
Is what I'm asking possible?
You are able to send claims, such as the e-mail address for an end user, to a custom policy using a signed token.
An example of this can be found in the Azure AD B2C samples.
Using Azure AD B2C with 'Email' specified for the user id.
I've tested the 'Sign up' and 'Sign up v2' user flows in Azure AD B2C. Both of these require the user to verify their email address by sending/entering a verification code. I've enabled MFA for both of these flows, so the mobile number needs to get verified as well.
The product guys have asked if its possible for email verification to be done asynchronously e.g. an email getting sent to the user, but they can verify this (e.g. via a hyperlink in the email) in their own time without having to enter a verification code during the registration process. Is this possible?
FYI. I think the reasoning from the product guys is that MFA via SMS to their mobile is enough. Multiple verifications (i.e. for email AND mobile) is a bit too much in terms of the UX...
One potential solution.
It's possible to disable email verification:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-disable-ev
Can then do and then do external orchestration to send async email. When they click on the link, we can update the verification status via MS Graph API. Don't love this solution, but it's an option...
I created a password reset policy and I am using username for the identity provider for local account.
The password reset screen asking for username and email address.
What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.
I saw it used to have a check box for password reset to use "Alternate Email Address" which is much secure to allow the user input a one. But I can't find to use "Alternate Email address" in password reset policy.
Does anyone know where to set it?
What if I know someone's username but to use a different email to
receive the verification code then I will be able to access someone
else's account.
Both the username and the email address must match the entries on the account. If a user uses a different email address, they will be shown an error message indicating that the account could not be found. Email verification is done before the account is looked up to minimize the chance of a malicious user trying out different email addresses for an account.
Alternate email address is not supported in Azure AD B2C because an alternate email address is not collected when the user signs up.
The admin UI that you have pasted in your question is for the enterprise directory and does not apply to Azure AD B2C. Azure AD B2C policies can only be configured using the Azure AD B2C settings blades in the Azure Portal.
I want to know how to setup Microsoft Azure Active Directory (AAD) to support login with email & password on mobile app. The email could be any email (google, apple, custom domain, etc) and I will generate the 4 digits password for each user.
But when using AAD, I can only add microsoft account, and when I try to add 3rd email (via csv file), AAD generate another microsoft email base on the custom domain I've added and the 3rd email is consider as external email.
=> Can I use 3rd email to login?
=> Since the password for each user is generate by AAD, So I want to pre-set password with my own 4 digits number. Can I do that? Does AAD provide any method that I can change all password for users
Take a look at Azure Active Directory B2C. It supports SSO scenarios where users sign in with their non-microsoft social media accounts, or create custom logins.
The Set-MsolUserPassword PowerShell cmdlet can be used to set user passwords, but this will not work for Microsoft and social media accounts.