I'm using Azure AD B2C for my ASP.NET project. I want to use Multi-Factor authentication. Normally, after the sign-up, the user is redirected to the page to verify his phone number. I want to change this flow, I want to enable multi-factor if the user choose in a custom dropdown attribute 'Notifications' SMS, the other options are Email/No.
How can I redirect to this Multi-Factor page/Enable Multi-Factor depending on a value of a custom attribute.
Well, fortunately, the Azure B2C is quite a flexible tool and does exactly what you're asking for. You're free to define custom policies, attributes and user flows (this one is in preview state though). For your case, if you're the one who manages the tenant, go to B2C instance and select 'User flows (preview)' blade. Create a User attribute beforehand. Configure the flow as necessary. Complete configuration by running the user flow. More on the issue can be found in quite exhausting MS article here.
Related
Does anybody know if and how can I use two (or more) user flows for user Sign Up from the same client application in Azure AD B2C? I want to be able to delegate to different signup flow based on the type of user that selected via the web application. One button "User Sign Up" and one button "Company Sign Up". How can I achieve the above functionality?
To support more than 1 Azure AD B2C user flow in a web app is pretty common. Keep in mind sign-in, sign-up, profile edit and more are all different user flows and are usually present in the same web app. In the same vein you can add any other flows that you want.
For implementation samples take a look to Azure Active Directory B2C code samples.
We are considering to start with the built-in user flows for our application in B2C. We want to benefit from the standard flows to register users, have forgotten password workflow in place, have MFA, etc...
However, as business requirements for our platform might (and will) change over time, it could be that the standard user flows are not enough and we might need to switch to custom policies over time.
Therefore, we'd like to know if it is possible to have a migration (export/import?) from the standard configured user flows at that moment, to the XML-based custom policies?
In the Azure Portal, go in to your B2C directory, select your user flow, and click the Download button at the top, it will download an XML file that contains the 'as is' definition of your user flow. You could later on use that for recreating the user flow, though there is no direct "import" option.
I am in the process of setting up Azure AD B2C and including an API connector in the profile creation. I use the policy Sign up and sign in from the user flows. Now I want to add a user attribute I created myself. This should not be visible under User attributes (the user should not fill this field himself) but should be filled by the API and returned under Application Claims and in the token. Is this possible with the user flows? Or is this currently only possible with the Custom policies under Identity Experience Framework?
Thanks for your answers
The way to do this with Azure AD B2C user flows would be to use JavaScript to hide the field so that is not visible to the user even though it is selected as an attribute in the user flow.
A similar approach is user to enable captcha while signing up as well in this sample - https://github.com/Azure-Samples/active-directory-b2c-dotnet-sign-up-user-flow-captcha.
Here is the official documentation for using JavaScript in user flows - https://learn.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout.
I want to integrate Multi Factor Authentication (MFA) through Azure Active Directory (AD), I checked its documentation and some code samples, then I knew that Azure AD B2C have some of features which suits my requirement,
NOTE - I only need MFA feature from Azure AD B2C,
I tried this sample code provided in official docs, https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-tutorials-spa
But I have some of queries:
1) Is there any service in Azure B2C, which can directly provide MFA facility to integrate, without need to register users in Azure AD?
2) In Azure B2C, can I control user flow with information of my website? So that email and phone number will be of my website during user flow. (I am asking about this because according to my plan I am going to integrate it after login process in my website)
3) There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
4) From where can I decide, which type of user will be registered? because the code which I have tried, doesn't mention about user type, (Actually I want to know that is there any param or option in user-flow, which can decide type of user, which will be registered through this flow)
Any help or suggestions will helpful for me,
Thanks in advance,
1. Is there any service in Azure B2C, which can directly provide MFA
facility to integrate, without need to register users in Azure AD?
Yes you can restrict new user to sign and sign up using MFA. For that need to enable MFA. Its global MFA for all.
See the screen shot below.
Note: You can also implement MFA for each individual user.
See the screen shot below for Individual MFA
Once you implement MFA you would be prompted to verify your phone
number like below
Note:
For Testing MFA Userflow need native application on application
drop down
See the screen shot below
2. In Azure B2C, can I control user flow with information of my
website? So that email and phone number will be of my website during
user flow. (I am asking about this because according to my plan I am
going to integrate it after login process in my website)
Yes you can customize your user flow. You can add new user flow according to yours.
To do that, Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C
Then In the left menu, select User flows, and then select New user flow
See the screen shot below:
3. There are 3 types of account in Azure B2C, (Work account, Guest user, Consumer user), Which user type is most suitable? (I only need MFA for the user, and will require to manage users via Graph or any official API)
In short Work account has the more privileged in B2C tenant as the official document says. As consumer account cannot access some resource on portal. For accessing Microsoft Graph API Guest user has some restriction even on azure portal.
Note: As per your requirement I would suggest you to go with Work account which has some benefits while you would access Microsoft API
Though the account type mostly depend on your business needs but Work Account more useful comparing all aspect.
Let's say, If you want to add some user those who already registered some other organization but you need to add them in your particular application privilege. So need to add user as Guest privilege.
4. From where can I decide, which type of user will be registered?
Tough the question is bit confusing as I said earlier it would depend on your business needs. Work account usually best for tenant user. So when you feel within on your tenant if new user need to add so go with Work account. Once you specify your need it would definitely easier for you which kind of user you need to add. There is no such reference which can explain well upto to now.
Note: You could try adding all the user type to check how the user account behave using portal and accessing resources.
I have a system where users are created in backoffice by admins(user with special role). Password reseting for users is also Admin's responsibility. This functionality is implemented using Graph API.
Users log in to their accounts using usernames(local account Id).
For this purposes I use B2C tenant with "sign-in" policy . The problem is that there is a password reset link => "Can’t access your account". By clicking on this link, users get Microsoft's out-of-the-box password reset process. I would like to delete this link to disable some extra actions, but I found no way for this.
1. Is it possible to delete "Can’t access your account" link in B2C sign-in policy?
B2C sign-in policy is not fully customizable. Microsoft site says that for the purposes of fully customize I need to use "sign-up or sign-in policy". But looks like I can not use local account id in "sign-up or sign-in policy".
2. Is it possible to use fully customizable UI without providing sign-up functionality to users? I mean is it possible to use sign-up or sign-in policy as a sign-in policy only with usernames(not emails)?
You can use a local account in sign-in-or-sign-up policy.
The fully customizable experience is within the sign-in or sign-up policy.
Everything is thoroughly described in the docu here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
There is even an excellent example here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization-helper-tool
using the sign-in or sign-up policy you can not only remove the password reset link. But can also disable password reset from the policy itself.
With the basic Azure B2C I dont think you can control this, Azure B2C are just rolling out the ability to create custom sign in journeys which will allow you to change everything, call extra rest APIs , implement alternative IDP's
In the last few days my UI has changed and they have just released documentation on custom journeys so that is a good place to start
As an alternative and i dont know its possible you could try using a custom UI theme on the Signin policy and then use javascript to hide the link