I have two sign-in policies residing in the same B2C tenant, one with MFA disabled and one with it enabled. I want the sign-in policy with MFA enabled to be used for step-up authentication i.e. if a user has already logged in with his username and password(via a policy), it should only prompt him for MFA not for his username and password once again.
The behavior I have observed is that sometimes the user is prompted to enter his credentials and sometimes he is only prompted to verify his phone number (roughly every alternate time). Is there something I can do to make sure the user is never prompted for username and password. (FYI both policies have the same Identity Providers, Claims and SSO/Token config)
Related
Azure B2C User Flow SignUp/SignIn with Email/Number.
Requirements:
SignUp with Email/Phone:
while signing up when user click for registration its shows already email/phone number exist but we are looking when user have already have email then it automatically move to login flow.
SignIn with Email/Phone:
while user click on the signin if user not exist then it automatically navigate to the signup page so user dont need to manuly go for signup
Forget Password with Email/Phone:
With the Email/Phone number signin/signup flow there is missing the reset password policy to change password and there is only showing the change phone number option.we need to reset the user password
There is missing the Cenel icon on the phone number signup flow.
I did reproduce your scenario and found that there is currently no prebuild option or system in user flow of Azure AD B2C that when user try to sign and if it has not already signup will redirect to signup page and vice versa.
Azure AD B2C offers various sign-up and sign-in options for users of your applications:
I did Configure my Azure AD B2C local accounts to allow sign-up and sign-in with using email address. There are also other ways with username, phone number, or a combination of methods.
For Forget Password with Email/Phone enable the self-server password under the properties of your created user flow.
Please follow this GIF for apply for Forget Password with email and attribute which I have set for my userflow.
I have shown the demo how my user flow is working please check this GIF as well.
I have redirected my webapp to https://vikashgaurav.com/portfolio/ after successful signing.
Reference : https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-sign-up-and-sign-in-policy?pivots=b2c-user-flow
My scenario is a public website, with authenticated access that is managed by AzureAdB2C, and the authentication is not embedded but on a subdomain style. In the authentication form I see that there's the option for password reset (for someone who forgets it) but my question is when the user is already authenticated and so outside Azure context, how can he ask for a password change?
Is there any endpoint or so (that would receive the email linked to the account)?
Thank you
Still not clear because you mention "fire the change/reset password flow?". Which is it or is it both?
If reset, you can use a custom policy. Just put the link to the policy on your page.
There are a number of password reset flows that may be of interest.
For change password, see here. Again, just put the policy link on the page.
Unsure if you would have to login again.
You can Configure password change using custom policies in Azure Active Directory B2C.
In Azure Active Directory B2C (Azure AD B2C), you can enable users who are signed in with a local account to change their password without having to prove their identity through email verification. The password change flow involves following steps:
The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
The user verifies the Old password, and then creates and confirms the New password.
If the question is to reset the password because the user forgot it but is still logged in, I can imagine logging out the user and redirecting them to the login page where they can choose the reset password option.
EDIT:
The Azure AD B2C article Set up self-service password reset for your customers states that
This article applies to self-service password reset used in the context of the standard Sign in user flow, which uses Local Account SignIn as the identity provider. If you need fully customizable password reset user flows invoked from your app, see this article.
Somehow resetting your password with a password reset flow / custom policy while you're logged in and don't 'need' your current password feels weird.
I am looking for powershell script to create local account users in b2c along with authentication method as email for SSPR. Could some one please advise?
That is not how AAD B2C works (although AAD does). In AAD B2C, the User Flow, or User Journey (Custom Policy), dictate what and how the user will reset the password. The default payload to create a B2C user is sufficient for a user to be compatible with a journey that forces the user to validate their email for password reset.
This is because such a journey simply reads their sign in email address and enforces they verify it.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities
I have created a built in sign in user flow for users to sign in.
I am creating users thru power shell script where i have used ForceChangePasswordNextLogin to true. I was expecting users will be shown password change page when they login for the first time, but i always get "Password Expired" error.
Could anyone provide some inputs on this ?
While creating local accounts in B2C via Graph API/powershell, the forceChangePasswordNextSignIn property must be set to false. This is documented here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api#password-profile-property. This generates a temporary password, which is marked as expired and requires the user to provide a new password. Since, in Azure AD B2C there is a different mechanism for resetting password (i.e. by using Password Reset User flows/Custom Policies), users don't get the option to reset the password and only get The password has expired. message. In B2C, administrator accounts cannot be used to reset password or set forceChangePasswordNextSignIn = true for consumer accounts.
As of now, the only possible way to require users to reset their passwords at first logon is by using custom policy: https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon.
I have a web application that authenticates with my B2C tenant with MFA turned on at the Sign-In Policy level [at this point MFA is disabled at User Level] and the policy is configured to use "username" to login. The application works fine and the user is able to login ... What I am trying to accomplish is to have MFA at user level meaning only certain users will be able to use MFA while others will be able to login without MFA.
The problem that I am facing is, when I turn on MFA at User Level and turn off MFA at Sign-In Policy level
mfa at user level
after the first password authentication screen the redirect to multi factor authentication screen where it asks the user to send code to is failing. Instead it is going back to the first password authentication screen and seems to be in a loop. When both MFAs are turned off, it works fine with the password authentication and user is able to login to the application. When both are turned on, it’s the same behavior where it goes back to the first password screen in a loop. Am I missing something here, or is it even possible to do this
Azure AD B2C does not have out-of-the-box support for user-level MFA.
The UI you referenced is from enterprise Azure AD, and while it shows up for Azure AD B2C as well, as you've noticed, won't work.
The best approximation to what you are looking for is having two policies, one with MFA and one without MFA. You would have to implement your own mapping table and for users through the appropriate policy.