I have a system where users are created in backoffice by admins(user with special role). Password reseting for users is also Admin's responsibility. This functionality is implemented using Graph API.
Users log in to their accounts using usernames(local account Id).
For this purposes I use B2C tenant with "sign-in" policy . The problem is that there is a password reset link => "Can’t access your account". By clicking on this link, users get Microsoft's out-of-the-box password reset process. I would like to delete this link to disable some extra actions, but I found no way for this.
1. Is it possible to delete "Can’t access your account" link in B2C sign-in policy?
B2C sign-in policy is not fully customizable. Microsoft site says that for the purposes of fully customize I need to use "sign-up or sign-in policy". But looks like I can not use local account id in "sign-up or sign-in policy".
2. Is it possible to use fully customizable UI without providing sign-up functionality to users? I mean is it possible to use sign-up or sign-in policy as a sign-in policy only with usernames(not emails)?
You can use a local account in sign-in-or-sign-up policy.
The fully customizable experience is within the sign-in or sign-up policy.
Everything is thoroughly described in the docu here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
There is even an excellent example here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization-helper-tool
using the sign-in or sign-up policy you can not only remove the password reset link. But can also disable password reset from the policy itself.
With the basic Azure B2C I dont think you can control this, Azure B2C are just rolling out the ability to create custom sign in journeys which will allow you to change everything, call extra rest APIs , implement alternative IDP's
In the last few days my UI has changed and they have just released documentation on custom journeys so that is a good place to start
As an alternative and i dont know its possible you could try using a custom UI theme on the Signin policy and then use javascript to hide the link
Related
In Azure AD B2C when a user clicks the "Forgot/Reset" Password, B2C redirects the user back to the Relying Party (web app), with the following error:
AADB2C90118: The user has forgotten their password.
Correlation ID: 124dd908-e181-408f-a363-ecbd46aa9d8e
The Web App (RP), should read the error code and react by redirecting the user back to B2C specifying the PasswordReset policy to be used. This is by design and it's documented in the official AAD B2C docs.
In our case, we have many web apps sharing the same Custom Policy (SUSI and PasswordResest), to offer a common login experience.
I would like to pick/configure the PasswordReset policy directly into our Custom Policy for sign-in. I'd like to avoid the user getting redirected back to the applications and then the apps deciding what PasswordReset Policy to use.
Is this possible to achieve in B2C?
As far as I know it is not. The only proper way to handle is doing it via the application, as you already described and also according to the docs: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
However, depending on your implementation and overall landscape of your identity setup, you may try using a "trick" - create a custom UI HTML template which will include an URL to the password reset policy of your choosing (static URL in the template) and hide (or disable if you use custom policies) the original "Forgot passoword" link which returns back to the app to handle. Attach that template to the policy - https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy
This might not work or be suitable for every setup though. You may get an unexpected behaviour in the app if you open a policy and then the flow ends in a different one. I myself consider that a rather bad practice and discourage people from using it where I work. But if you really need to have something like that you may consider it.
Yes, it is possible.
"By default when you create a sign-up or sign-in policy (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset policy. Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset policy.
This policy demonstrates how to embed the password reset flow a part of the sign-up or sign-in policy. So, Azure AD B2C will not return the AADB2C90118 error message".
Starting from March 2021, the "Self Service Password Reset" is the recommended option. The previous method described in my original post is not considered legacy.
Self Service Password Reset Official Documentation: https://learn.microsoft.com/en-gb/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
Essentially, what I asked above not only is possible now, but it's also the recommended approach.
I'm using Azure AD B2C for my ASP.NET project. I want to use Multi-Factor authentication. Normally, after the sign-up, the user is redirected to the page to verify his phone number. I want to change this flow, I want to enable multi-factor if the user choose in a custom dropdown attribute 'Notifications' SMS, the other options are Email/No.
How can I redirect to this Multi-Factor page/Enable Multi-Factor depending on a value of a custom attribute.
Well, fortunately, the Azure B2C is quite a flexible tool and does exactly what you're asking for. You're free to define custom policies, attributes and user flows (this one is in preview state though). For your case, if you're the one who manages the tenant, go to B2C instance and select 'User flows (preview)' blade. Create a User attribute beforehand. Configure the flow as necessary. Complete configuration by running the user flow. More on the issue can be found in quite exhausting MS article here.
I am using Azure AD B2C as the authentication solution for a Dynamics CRM Portal application. So far, B2C allows customization of the sign-up experience, which i have done to customize the look and feel of the signup/signin page but I don't see any option to incorporate a CAPTCHA.
Is there any way of detecting and blocking robots during AD B2C Sign Up process ?
Other than reCAPTCHA, is there any other bot protection mechanism that can be used on the B2C Sign Up page ?
The email verification that, by default, is required during the sign-up process is meant to prevent bots from creating fake users.
As Javascript is not yet available using CAPTCHA would not be possible. Also the standard fallback for these services "iFrames" would also be stripped by the B2C UI. However it does use the standard AAD account lockout password policy
"After 10 unsuccessful sign-in attempts with the wrong password, the user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time"
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..
Microsoft Recently added the new "sign-up or sign-in" policy to Azure AD B2C.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-policies/#create-a-sign-up-or-sign-in-policy
By default when we direct a user to that page it shows the sign-in workflow.
Sometimes I may want to take a user directly to the sign-up workflow instead.
I don't want to configure two policies (i.e. upload the same banners, templates, backgrounds, redirects, special messages etc) when the content is going to be exactly the same for both.
Is it possible to pass a parameter (or some otherworldly trickery) so that it shows the "sign-up" workflow instead?
Currently there isn't a query parameter or policy setting that will take the user straight to the local account sign-up pages in a SignUporSignIn policy. Today you would need a separate sign-up policy to direct them directly to sign up.
You can use hello.js for Azure B2C with some customization in initialization, which is build for external authentication of google facebook etc. You can also look into the sample from microsoft which works !! Azure B2C