I am trying to get Azure AD B2C to get the users email address but I don't see anything in the token that provides it, even though my signin/signup policy makes a "claim" on the users email address. How do you do I get the email address? More generally, is there any documentation other than the samples that explains how this service is intended to work?
Under application claims, check Email Addresses.
Here's some documentation about selecting claims/setup.
Related
I wan to send customized email for SSO via AD B2C. I see that the documentation covers sending custom email via third party providers or via SSPR Technical profile. I'm trying to use the SSPR technical profile.
However, there is no reference as to how the email is sent to the customer. It doesn't explain how the SMTP is configured for AD B2C to be able to send an email from our customized email address. Can someone point of how SMTP is configured for Azure AD B2C.
The documentation for third party emails also don't cover how do we set SMTP configuration.
There is no SMTP.
The SSPR Technical profile uses Azure to send emails. It's all done in the back end.
Similarly, for third parties.
Is it possible to send verification email code to secondary email address (otherMails or alternate email attribute in azure AAD) via azure B2C custom policy?
Currently, customization of the email address is not supported. Azure AD B2C just supports basic customization of emails sent by Azure AD B2C.
You could vote for the feedback here. Please see this similar issue.
I have a custom policy that allows a handful of users the ability to authenticate as themselves but then enter an email address of another user they need to impersonate (for help desk calls, etc). The users in the AAD B2C directory are of two types -- 1) local users (third party partners) and 2) federated users from our internal, corporate AAD. Impersonating the local users is working. The solution is based off of sample github.com/azure-ad-b2c/samples/tree/master/policies/
What is not working is impersonating federated users. What I'd like to do is read the user based on otherMails (which will be unique among active users)but when I attempt to upload a custom policy with a step to Read the user from the B2C directory by the otherMails claim I get a validation message '.Input Claim 'otherMails' is not supported in Azure Active Directory Provider technical profile 'SelfAsserted-TargetEmailExchangeFederated' of policy 'B2C_1A_Impersonation'.
'otherMails' is defined in the base policy so it seems it is just not supported to 'Read' on. I get this same error message if I try the mailNickname attribute. I can successfully upload and run the policy searching by other attributes such as employeeId, or immutableId however these have other limitations (size, uniqueness) that don't make them viable to store email addresses in.
Is there a way to read a user profile by otherMails?
If not, is there another field I could use? (I tried adding an extended attribute, policy would run but the account would not be found).
Short of either of those, is there a way to read the account from our corporate AAD by email from the custom policy? (calling the graph api, etc?)
If it helps anyone, what I ended up doing was creating a custom api that wrapped the graph api to look up identities based on entered email and then called out to the api from the impersonation policy.
similar to:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw
for reference:
Find a User by Email Address
I would like to pre-register a limited number of users which can use my application.
This are the requirements:
Users should be able to reset their password on their own
No other users than the preregistered users can sign up
Ideally, the user can choose the login email address by himself (no #app.onmicrosoft.com login).
Now I'm having trouble to have all requirements fullfilled together.
I was able to preregister #app.onmicrosoft.com users in the Azure Portal. But since the user can't get emails on #app.onmicrosoft.com, a password-reset-policy would not make sense. I tried to specify alternate-email and a phonenumber in the user-profile, but unfortunately the password-reset-policy is not using it for verification.
Let's say I create a sign-up policy: This is nice - the user choose his own email. Password resetting would also work. However, I can't control who's signing up and getting valid access tokens. In the portal, under Enterprise Applications, I found my registered application (All Applications) where I can set an option "User assignment required?" to true. But this does not seem to work in the B2C context, right? I expected, that until I assign a user to this application, the user is not getting a token on sign-in, but this wasn't the case. Here I found a similar question about creating users. Any advice on creating users including passwords etc. using Microsoft Graph (since it's recommended to use it over Graph API)?
I also tried to invite users as guests. They have to create a microsoft account, resetting passwords would be solved through microsoft, but unfortunately, no redirect to microsoft login happens after entering the microsoft account email address.
Deleting the signup policy after initial registration is a bad option if more users have to be onboarded.
Ideally, I would like to preregister users as if they signed up by their own - but with no signup policy.
Any advice? What do I miss?
You can implement the activation/invitation scenario that is described here and implemented here.
This scenario activates/invites a new user by creating/pre-registering a local account in the Azure AD B2C directory through the Azure AD Graph and then sending a signed redemption link to the email address for this local account.
This redemption link directs the new user to the Password Reset policy.
Currently creating users in a B2C tenant with a "local account" is not supported in Microsoft Graph. For this you'll need to use Azure AD Graph for now (see creating a user with a local account). Please see this blog post for details and line item 12 in the table.
We hope to add this capability as soon as we can to Microsoft Graph.
Hope this helps,
I created a password reset policy and I am using username for the identity provider for local account.
The password reset screen asking for username and email address.
What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.
I saw it used to have a check box for password reset to use "Alternate Email Address" which is much secure to allow the user input a one. But I can't find to use "Alternate Email address" in password reset policy.
Does anyone know where to set it?
What if I know someone's username but to use a different email to
receive the verification code then I will be able to access someone
else's account.
Both the username and the email address must match the entries on the account. If a user uses a different email address, they will be shown an error message indicating that the account could not be found. Email verification is done before the account is looked up to minimize the chance of a malicious user trying out different email addresses for an account.
Alternate email address is not supported in Azure AD B2C because an alternate email address is not collected when the user signs up.
The admin UI that you have pasted in your question is for the enterprise directory and does not apply to Azure AD B2C. Azure AD B2C policies can only be configured using the Azure AD B2C settings blades in the Azure Portal.