Azure B2C Active Directory - azure

I would like to use Azure B2C Active Directory and source users under local account as email (joe#some-email.com) and also as username (for example - joe123).
Within the portal, under local accounts in B2C, you can select either email or username and I cannot find a way to add both types of local accounts, appears it’s mutually exclusive between email type or username type.
Wanted to confirm, if there a way to configure B2C that works with both types of sign-ins where a user can provide any valid email no matter what the domain is and at the same time allow users to sign-in by just providing a username.
In case they are exclusive, is there a preferred solution that would allow both type of sign-in to coexist.

No, you cannot use both of them, as if local account set to use email then that email goes to username field inside user account. There is also email claim in user account profile. But if let's say you select local account with email and also select that claim again email will be asked once and only go to username field. Also email uniqueness will be checked only if it is used for sign-in. If you use username for local account sign-in then multiple users can be registered with same valid email

Related

Azure Active Directory B2C new user invite to set their initial password

In short: how to set up Azure B2C to pre-create users and invite them to set their initial password (rather than reset it).
We have public facing website that an organisation can pay for and it gives them access to their own area. We add one or more user's email addresses to our database to grant them a login. Privileged users at the organisation can invite other users to grant them access to their organisation's area.
We wish to move our authentication, session and password management from a home grown solution to Azure AD B2C.
A new user currently receives a friendly invitation email with a hyperlink that contains a token that gives them permission to set their password.
We could create a custom policy to handle this but I really don't want to go down that route due to their complexity and shelf life.
The only way that I've found "out of the box" is to create the user in Azure AD (not problem with that), set a temporary password and email them an invite asking them to "reset" their password. The reset part is very unclean as they are not resetting their password, they are setting their initial password and this will be confusing.
Also note that we do not want the user to be able to change their email to something like a hotmail account, as the admin must be in charge of this to ensure they use their work email.
All help appreciated.
Andy
• In your scenario, I would suggest you configure an application registration in Azure AD B2C and configure user flows in it for resetting the password for every user logging in it. Also, while registering an application in Azure AD B2C, you can select the option for ‘Accounts in this organizational directory only (Default Directory only - Single tenant)’ and integrate it with your website in the frontend API such that the user flow to reset the password after verifying the email address comes up for every user.
For the above said configuration, kindly refer to the below documentation link for more details as it describes the configuration for registering users of a single tenant/organization: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
Also, refer to the below documentation link for resetting the initial temporary password using the user flow section as setting up a user flow is a very simple process as described below: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow

How can I create multiple account in Azure AD B2C with unique username but allowing same email address?

I need to create multiple user account in Azure AD B2C with unique usernames but same email address. The user logins with the username.
Scenario
I have an e-commerce b2b site.
A user reseller has an account on the b2b site with unique username and an email address.
The same user has another different account on the same b2b site with a different (unique) username but he has the same email address.
So you have:
account1: username is Username1 and email is matt#pippo.com
account2: username is Username2 and email is matt#pippo.com
For the password reset you need both the username and the email.
Is this scenario supported on Azure AD B2C?
Suggestions are welcome. Thanks in advance.
There is a method theoretically. This requires you to set up different account types for this email address. For example, if you have a gmail account, you can directly register to B2C as a local account, or you can configure gmail as a Identity providers, if you log in with gmail, this achieves two identical mailboxes but different account names.
However, this method is not recommended. This is equivalent to two completely different account types. If you require both account1 and account2 to be local accounts, then obviously this method will not work. Therefore, in summary, I don’t think you can create two different user accounts with the same email address.
This username sample already accomplished this:
https://github.com/azure-ad-b2c/samples/tree/master/policies/username-signup-or-signin
The username, or login identifier, is stored in the signInNames.username attribute. This has a uniqueness constraint.
The email is stored in the strongAuthenticationEmailAddress attribute, which does not have a uniqueness constraint. You could swap it for an extension attribute too.

Azure B2C user flow without an email

We have a scenario where we need to integrate Azure B2C with one of our existing system, where the email is not a mandatory user field, we have only the mobile number of the user as a mandatory field. I am looking for ways to integrate azure B2C where i can give a username and an initial password for the first time, instead of email. And all the password reset scenarios will have to go through OTP or email, where it will be a users choice to give email to reset the password.
We are able to create the user through Graph API initially, but
stuck with creating a user-flow where it will ask the username and password instead of email and password.
You can choose Username as local account types when configuring identity providers for Azure AD B2C in the Azure portal. In your Azure AD B2C tenant, select Identity providers, select Local account, and then select Username.
Then you need to select Local Account again in your user flow.

How to impersonate a federated user given an email address

I have a custom policy that allows a handful of users the ability to authenticate as themselves but then enter an email address of another user they need to impersonate (for help desk calls, etc). The users in the AAD B2C directory are of two types -- 1) local users (third party partners) and 2) federated users from our internal, corporate AAD. Impersonating the local users is working. The solution is based off of sample github.com/azure-ad-b2c/samples/tree/master/policies/
What is not working is impersonating federated users. What I'd like to do is read the user based on otherMails (which will be unique among active users)but when I attempt to upload a custom policy with a step to Read the user from the B2C directory by the otherMails claim I get a validation message '.Input Claim 'otherMails' is not supported in Azure Active Directory Provider technical profile 'SelfAsserted-TargetEmailExchangeFederated' of policy 'B2C_1A_Impersonation'.
'otherMails' is defined in the base policy so it seems it is just not supported to 'Read' on. I get this same error message if I try the mailNickname attribute. I can successfully upload and run the policy searching by other attributes such as employeeId, or immutableId however these have other limitations (size, uniqueness) that don't make them viable to store email addresses in.
Is there a way to read a user profile by otherMails?
If not, is there another field I could use? (I tried adding an extended attribute, policy would run but the account would not be found).
Short of either of those, is there a way to read the account from our corporate AAD by email from the custom policy? (calling the graph api, etc?)
If it helps anyone, what I ended up doing was creating a custom api that wrapped the graph api to look up identities based on entered email and then called out to the api from the impersonation policy.
similar to:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw
for reference:
Find a User by Email Address

Azure AD B2C Password reset policy with alternate email address

I created a password reset policy and I am using username for the identity provider for local account.
The password reset screen asking for username and email address.
What if I know someone's username but to use a different email to receive the verification code then I will be able to access someone else's account.
I saw it used to have a check box for password reset to use "Alternate Email Address" which is much secure to allow the user input a one. But I can't find to use "Alternate Email address" in password reset policy.
Does anyone know where to set it?
What if I know someone's username but to use a different email to
receive the verification code then I will be able to access someone
else's account.
Both the username and the email address must match the entries on the account. If a user uses a different email address, they will be shown an error message indicating that the account could not be found. Email verification is done before the account is looked up to minimize the chance of a malicious user trying out different email addresses for an account.
Alternate email address is not supported in Azure AD B2C because an alternate email address is not collected when the user signs up.
The admin UI that you have pasted in your question is for the enterprise directory and does not apply to Azure AD B2C. Azure AD B2C policies can only be configured using the Azure AD B2C settings blades in the Azure Portal.

Resources