Using Azure AD B2C with 'Email' specified for the user id.
I've tested the 'Sign up' and 'Sign up v2' user flows in Azure AD B2C. Both of these require the user to verify their email address by sending/entering a verification code. I've enabled MFA for both of these flows, so the mobile number needs to get verified as well.
The product guys have asked if its possible for email verification to be done asynchronously e.g. an email getting sent to the user, but they can verify this (e.g. via a hyperlink in the email) in their own time without having to enter a verification code during the registration process. Is this possible?
FYI. I think the reasoning from the product guys is that MFA via SMS to their mobile is enough. Multiple verifications (i.e. for email AND mobile) is a bit too much in terms of the UX...
One potential solution.
It's possible to disable email verification:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-disable-ev
Can then do and then do external orchestration to send async email. When they click on the link, we can update the verification status via MS Graph API. Don't love this solution, but it's an option...
Related
I'm working on an integration with the DocuSign API. I want the users to log in to my app and then initiate the signing process from there. The users must not have a DocuSign account, they should be able to sign without log in to DocuSign. As I understand the JWT Grant flow is the best choice for this scenario by impersonating a system user and create envelopes and recipient view requests for the users who will sign. Please, correct me if I'm doing this wrong.
Many companies who offer electronic signature services also offer authentication services. For example OTP via email, SMS or some other eID. I would like that if the user could authenticate with DocuSign first before accessing my application. I haven't find a service like that at DocuSign. Is there a way to authenticate users without DocuSign accounts for my application with their service?
You first write:
The users must not have a DocuSign account
You later write:
I would like that if the user could authenticate with DocuSign first
before accessing my application
These two statement conflict. You can only authenticate if you have an account.
However, if what you mean is just get an SMS text there are two features you can use:
Send with SMS - sending the SMS as the means of obtaining a signature from user. User doesn't have to have an account with DocuSign.
SMS authentication - envelope is sent via email, SMS is used as a second factor auth. User doesn't have to have an account with DocuSign.
JWT or Auth Code Grant can either be used for the one user/account that does have the ability to send envelopes from DocuSign. Either one would work.
We have below requirement:
We are creating B2C users (with random password) using Graph API from our Asp.Net Core Web API.
We want to send welcome email to the user along with some link so that user can directly launch the "Password Reset" page and then can login to his application after setting the password.
As per my research, Different Solutions and their cons:
User login and follow the forgot password journey from login but that's bit annoying for new users. How would they know that they have to follow forgot password journey on 1st login.
Implement "Forced to reset password on 1st Login" policy - but for this policy, user should know his initial password.
Using REST API - we can't use REST api in custom policy as we are creating user using Graph API.
Is there any better way to send email to user on creation(using graph API)?
Any help is much appreciated.
Thanks in advance,
Anu
You can send out an "invite" link via email after creating the account via Graph API, which, when the user opens from their inbox, they can use it to set a new password at AAD B2C, and are immediately logged in to the app once completed (or you can do other things in the journey if you like).
This uses the id_token_hint concept demonstrated here.
I am struggling to get my head around how to implement a custom policy for the following flow:
User lands on the login page and that login page only contains an email input.
User enters email address and clicks continue
if user has already registered
Redirected to their selected login provider (Google, Microsoft Account or Local Account)
if user has not registered before
Check google provider if a user account exists for that email address
if Google account exists
Redirect to Google login
Check Microsoft provider if a user account exists for that email address
if Microsoft account exists
Redirect to Microsoft login
else
Redirect to registration screen
User completes registration screen
User is automatically logged in
The user
I've investigated whether this can in fact be done and I've found a "digital workspace for visual collaboration" (a.k.a Mural.co) that does in fact implement a similar flow, so this has to be possible. See the pictures below.
I'm, however, unable to find information on
how to query the social providers for account existence
how to go about creating this complex type of flow in Azure AD B2C custom policies.
Any pointers in the right direction would be greatly appreciated
Not possible. Nobody would allow you to probe a social IdP for an email. Data protection etc.
Reference our samples and wiki
Your sign up would be from our default sign up journey.
Your sign in flow could work like this:
Request for email
Read the directory to see if an email exists
If email exists, send the user to the IdP they used to sign up. You can do that by looking at the “issuers” registered on the userIdentity object,
If email doesn’t exist, send the user to the combined sign in and sign up page (technical profile) where they can sign in with social or sign up with a local account. Hide the sign in elements with CSS.
Is there a way to create a link/URL that directs to the password reset policy, but skips the email verification part (directly to entering the new password), by implanting some kind of token to the URL?
e.g. https://mycompany.b2clogin.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_password_reset&client_id=...&email=myemail#gmail.com&signature=....
(By verifying the signature field, the user flow will let me skip email verification, and use the email from the email field instead).
The reason I need it, is because as part of a migration process from an old system that doesn't use Azure B2C to a new system that does, we want to migrate users by creating an Azure AD B2C account for them via Graph API with an obscure password, and then send them an email that would direct them to the password reset policy.
Once they click on the link that was sent to their email, it would be redundant to ask them to insert and verify their email.
Is what I'm asking possible?
You are able to send claims, such as the e-mail address for an end user, to a custom policy using a signed token.
An example of this can be found in the Azure AD B2C samples.
I'm using an Azure AD B2C policy where I'm requiring users to verify their email addresses with a verification code.
Is there a way to check the activity on whether or not this verification code email was sent to the user that is signing up?
There are no diagnostics around the verification code email. The verification code email should be sent every time as per your policy. You can request a feature for diagnostics or something like that in the Azure AD B2C feedback forum
In some cases, emails will get routed to the user's spam mail or the company might be filtering out the emails completely. If you're seeing users from a given company consistently not receive the email, you should get some confirmation from Microsoft that the email was sent by opening a support ticket.