I'm implementing Azure AD B2C in my public facing app and with this approach, new user registration is essentially taking place "outside" of my app on Azure.
How can I enforce users agreeing to my terms and conditions? In other words, I'd like there to be a checkbox and it must be mandatory for users to check it to proceed with the registration process. If the user doesn't check the checkbox, registration should not take place.
I understand through UI customization I can change the appearance of the registration page and there can be a highlighted statement that reads:
By clicking Register, you're agreeing to our terms and conditions.
I think it would be better if there was a mandatory checkbox though. Is this doable with Azure AD B2C?
UPDATE:
In Step 5, I'm not seeing "Custom Attributes" -- here's the screen shot:
UPDATE 2:
Not allowing me to save after uploading json file for override.
You can create a custom attribute that prompts for the end-user agreement.
E.g. Create a custom attribute called AgreedToTermsAndConditions of type String.
For built-in policies
To display this custom attribute as a checkbox that must be checked during sign-up:
In the Azure portal, open Azure AD B2C and then select Sign-up or sign-in policies.
In Sign-up or sign-in policies, select the sign-up or sign-in policy.
For the selected policy, select Edit.
In Edit policy, select Sign-up attributes.
In Select sign-up attributes, select the custom attribute and then select OK.
In Edit policy, select Page UI customization.
In Page UI customization, select Local account sign-up page.
In Local account sign-up page, select the sign-up attribute.
In Edit attribute, select No for Optional and CheckboxMultiSelect for User input type and then select OK.
In Local account sign-up page, select OK.
Repeat steps 7-10 for Social account sign-up page.
In Page UI customization, select OK.
In Edit policy, select Save.
In Edit policy, select Language customization.
In Language customization, select Enable language customization if it isn't already enabled.
In Language customization, select the default language.
For the selected language, expand Local account sign-up page and upload a resource file such as the following example.
Repeat step 16 for Social account sign-up page.
Repeat steps 16-18 for other enabled languages.
An example of the resource file:
{
"LocalizedCollections": [
{
"ElementType": "ClaimType",
"ElementId": "extension_AgreedToTermsAndConditions",
"TargetCollection": "Restriction",
"Override": true,
"Items": [
{
"Name": "I agree to your terms and conditions",
"Value": "True"
}
]
}
]
}
(Phew!)
You can also set the item value to a date string (e.g. "2018-04-01") or a version string (e.g. "v1") if you are wanting to store the date or version of the terms and conditions.
For custom policies
Updated on 23 May 2018
The Manage user access in Azure AD B2C article describes how you can prompt for the end-user agreement during sign-up and, subsequently, during sign-in if the end user hasn't accepted the latest or new terms and conditions.
Related
This is mostly playing around at the moment but I'm attempting to use Azure AD B2C as the login provider / user store for a website I'm working on.
I want to limit what users can access based on a user level.
At the moment, in order to handle this I have a database entry for UserLevel that stores the users OID, and an enum for the user level (admin, moderator, user etc) and then for page / api access I've set up a requirement that checks the authenticated user is in the UserLevel repository, and that their level matches, or exceeds the required level.
What I'm wondering is if there are any major problems with doing things this way / is there a better way to handle this.
You can use Custom Attributes to save all your User properties - it will act like DB columns in B2C.
How to create?
Navigate to the directory that contains your B2C tenant.
Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
Select User attributes, and then select Add.
Provide a Name for the custom attribute (for example, UserLevel)
Choose a Data Type as String (Note that only String, Boolean, and Int are available).
Optionally, enter a Description for informational purposes.
Click Create.
The custom attribute is now available in the list of User attributes and for use in your user flows.
How to use in your User Flows?
In your Azure AD B2C tenant, select User flows.
Select your policy (for example, "B2C_1_SignupSignin") to open it.
Select User attributes and then select the custom attribute (for example, UserLevel). Click Save.
Select Application claims and then select the custom attribute.
Click Save.
You should now see UserLevel in the list of attributes collected during the sign-up journey, and see it in the token sent back to your application - based on which you will be able to identify the access you want to give to that user (instead of making another DB call which will increase latency).
I have created a set of new User Attributes and used them in my new User flow (Policy) in Azure AD B2C.
These attributes are of data type "Boolean" but when I run the user flow I get a textbox input instead of a checkbox.
Usually, I get the possibility to change it on the portal but now I can not find where to do so now.
Have anything changed?
Once the custom user attribute is added, go to page layout. In my case the attribute to add is on the local account registration page, you select where you have added it or want to add it.
Below you will have appeared the user attributes that that part of the flow has (yours should appear). From there you change the type of ticket, you can also change if it is optional or mandatory ...
Go to Azure AD B2C > User flows (policies) > Your user flow > Page layouts.
The User attributes section of the Page layouts page allows you to change the user input type.
I've created Sign up v2 user flow in B2C with multifactor authentication enabled.
Is it possible to filter the list of countries on the MFA page. I only want to allow registrations in AU (+61) and NZ (+64), so ideally all the other country options can be removed.
This can be achieved using Language Customization.
Go to SignupV2 userflow and click on "Languages" at the bottom in left blade.
Enable Language customization
Click configured tab, and then click English. A pane will open on the right
download defaults for Multifactor authentication at the bottom,
modify json element with string Id "countryList" to your desired list. set override = true
upload the defaults back run the user flow.
Learn more here https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-language-customization
I'm using an Azure B2C tenant to store users. At present I have to go through the graph API to retrieve the user details from my MVC application.
The annoying thing however is that the most of the details I'm interested in are already contained within the list of claims within the ClaimsPrincipal.Current object (in this case name, job title and email), so for the most part this call isn't actually needed. Department is the only one not included by default and is the only reason I'm making the call. In addition going through the graph API seems to slow things down enormously when running the site on Azure.
Is there any way of including the department in the claims list contained within the ClaimsPrincipal.Current object so I can skip the call to the graph API entirely?
If I understand your question, it sounds like you are asking how to include additional claims in the ID token returned by Azure AD B2C. The claims returned are configured on a per-policy basis.
Navigate to the B2C features blade on the Azure portal.
Click All policies.
Click your sign-up policy to open it. Click Edit at the top of the blade.
Click Application claims and select the attribute. (for example "Department") Click OK.
Click Sign-up attributes and make sure "Department" is one of the attributes collected from the user.
Click Save at the top of the blade.
Click "Run now" on the policy to verify the consumer experience. You can use "http://jwt.ms" as the redirect URI to inspect the token returned by Azure AD B2C. You should now see "Department" in the list of attributes collected during consumer sign-up, and see it in the token sent back to your application.
I have been building an Azure B2C Test System and have customised the login page as per the guide here. Is there any way to change the order of the Elements so that the Local Sign-in option is on the top or bottom?
Also is there a way to make a profile edit policy use the Sign-Up/Sign-In login page style? e.g. 3rd Party Identity Providers at the top and a email\username and password button at the bottom.
Here is how it currently Looks:
Identity Provider Order
The order in which the buttons for different identity providers are shown in Azure AD B2C is based on the order in which they are saved. If you select multiple identity providers and then save, they will be added in a seemingly random order. However, if you add one (say Facebook), save your changes to the policy, and then add another (say Google) and save. They will be displayed in that order. This also applies for the Local Accounts button in the policies that show such button.
In the case of Sign-up/Sign-in, the section for local accounts will always be displayed at the bottom and there is currently no way to control this via Azure AD B2C.
You can leverage hacky CSS to do flip these two sections, but beware that this is a hack and can break if at any time the html elements change.
div#api { display: table }
.social { display: table-footer-group }
.localaccount { display: table-header-group }
You should probably request this as a first class feature via the Azure AD B2C UserVoice forum