I have the client id/secret, but not the email address that was used to create the app in the developer portal. This is prevent me from verifying the account in order to address the recent rate limit policies. Is there something I can do to learn this email address and then use the reset password option?
Related
I have a web site, that is using AAB B2C username/password authentication and stores customer profile in a proprietary database.
We want to add additional identity providers to allow social sign-in as described in
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-identity-provider.
We are not sure, can we trust the provider that logged-in user owns the email address, returned by provider.
For example, assume that we have in our database ValidCustomer#gmail.com account.
A hacker knows the email address and creates a new account ValidCustomer#gmail.com in Facebook. The account will exist in Facebook, but will not be verified, because the hacker doesn’t have access to Gmail account.
Then the hacker will try to login to our site via Facebook.
Will Facebook (or other identity provider) return back unverified email address as claim for authenticated user?
If yes, can we use any claim returned by identity provider to understand is email address verified or not?
Is any general claim/rule in B2C AAD protocol to check is email address verified or we have to review each provider policy individually?
Is it possible that today the provider guarantees verified email address , but tomorrow will change their policy and will not verify the email address?
By default B2C will trust the claims sent by the identity provider. You would need custom policies to add a verification step for the email address. Sadly each provider is unique in these things. There is no standard claim for "email is verified".
But why is this important for you?
As long as you identify the user in your application by their object ID (and not the email), they will be separate users.
Even if the attacker manages to sign up through a social identity provider with the same email address, a new user entity is created in B2C, and will have a different object ID, thus not matching a user on your app side.
I'm using Azure AD B2C and we've been presented with a preference/requirement from our product team to allow users to sign up/in using either an email address OR a mobile phone number as the user id.
Currently the built in flows only allow email or username as the user id. There's strong evidence to suggest that we could create a custom policy to allow for mobile phone number, but what I need is the ability to sign up/in using either email address OR mobile phone number.
It seems like I'm not the only one requesting this functionality. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334314-phone-number-sign-up?page=2&per_page=20
Just wondering if there's a way to achieve this using custom policies, and if so; any demos/links that explain how to do this...
[Edit]
User journeys
Web app sign-up:
User enters email or mobile
MFA to email or mobile (whichever was entered)
Authenticate code sent to user
Set password.
IDP done
Back in app, might capture email or mobile (whichever was not captured in IDP) and update B2C via MS Graph API.
Native mobile app sign-up:
User enters mobile
MFA to mobile
Authenticate code
Set password.
IDP done
Back in app, might capture email and update B2C via MS Graph API
Web app sign-in:
Sign in using either (mobile or email) and password.
Native mobile app sign-up:
Sign in using mobile and password.
Use refresh token most of the time instead of explicit sign-in.
You are able to implement this with two custom policies:
A sign-up or sign-in policy that allows sign-up for a local account using a phone number and sign-in for a local account using an e-mail address or a phone number.
A linking policy that allows linking of an e-mail address to a local account that has been registered using a phone number.
I've published the following custom policy samples to this GitHub repository:
phone_sign_up_any_sign_in: Sign-up for a local account using a phone number. The end user is prompted for verification of the phone number. An e-mail address can be linked to the local account using the email_linking policy. Sign-in for a local account using an e-mail address or a phone number. If the e-mail address hasn't been verified, then the end user is prompted for verification of the e-mail address. If the phone number hasn't been verified, then the end user is prompted for verification of the phone number.
email_linking: Linking of an e-mail address to a local account that has been registered using a phone number. The end user is prompted for verification of the e-mail address.
I'm using an Azure AD B2C policy where I'm requiring users to verify their email addresses with a verification code.
Is there a way to check the activity on whether or not this verification code email was sent to the user that is signing up?
There are no diagnostics around the verification code email. The verification code email should be sent every time as per your policy. You can request a feature for diagnostics or something like that in the Azure AD B2C feedback forum
In some cases, emails will get routed to the user's spam mail or the company might be filtering out the emails completely. If you're seeing users from a given company consistently not receive the email, you should get some confirmation from Microsoft that the email was sent by opening a support ticket.
I am trying to get Azure AD B2C to get the users email address but I don't see anything in the token that provides it, even though my signin/signup policy makes a "claim" on the users email address. How do you do I get the email address? More generally, is there any documentation other than the samples that explains how this service is intended to work?
Under application claims, check Email Addresses.
Here's some documentation about selecting claims/setup.
I created a password reset policy and I am using username for the identity provider for local account.
The password reset screen asking for username and email address.
What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.
I saw it used to have a check box for password reset to use "Alternate Email Address" which is much secure to allow the user input a one. But I can't find to use "Alternate Email address" in password reset policy.
Does anyone know where to set it?
What if I know someone's username but to use a different email to
receive the verification code then I will be able to access someone
else's account.
Both the username and the email address must match the entries on the account. If a user uses a different email address, they will be shown an error message indicating that the account could not be found. Email verification is done before the account is looked up to minimize the chance of a malicious user trying out different email addresses for an account.
Alternate email address is not supported in Azure AD B2C because an alternate email address is not collected when the user signs up.
The admin UI that you have pasted in your question is for the enterprise directory and does not apply to Azure AD B2C. Azure AD B2C policies can only be configured using the Azure AD B2C settings blades in the Azure Portal.