I have two requirements that seem to conflict:
Use the email as the username.
Allow users to change their email.
The problem: if you configure the directory to use the email as the username then the edit profile policy does NOT show the email to allow you to change it.
Any solution I think of is a kludge and involves creating a whole new local account for the user.
Any ideas or suggestions?
You'll need to use the Azure AD Graph API to update the 'User' entity.
You can do this via Microsoft Graph now too.
Example:
PATCH: https://graph.microsoft.com/v1.0/users/{UUID}
{
"identities": [
{
"signInType": "emailAddress",
"issuer": "xxxx.onmicrosoft.com",
"issuerAssignedId": "{new email address}"
}
]
}
The possibilities have changed and #pswillies answer is not true anymore.
It is possible to change the sign-in name of local accounts where the sign-in name is an email address.
See this official sample: https://github.com/azure-ad-b2c/samples/tree/master/policies/change-sign-in-name
It is using custom policies.
Related
In my application, I have a list of users with their organization email-id. As per the requirement, I want to check user's email-id extension is of a valid Microsoft 365 account. For users who passed this check, I want to enable the SSO feature.
Example: If the user email-id is "user#company-domain.com" then I want to check that "#company-domain.com" is registered in MS 365.
I am not able to find any graph API to resolve this issue.
Any help would be appreciated.
What you should be able to use is the Organizations endpoint eg
https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http
then use the verified domains node
"verifiedDomains": [
{
"capabilities": "Email, OfficeCommunicationsOnline",
"isDefault": true,
"isInitial": true,
"name": "Contoso.com",
"type": "Managed"
}
This is what you see in the Portal or enumerated in things like Azure AD Connect
This will give you the verified domains for a particular org and your app will need permissions to query it.
I'm using Azure AD B2C Local Accounts Sign-in only custom policies(i.e No sign-up). I've the requirement to use email as login-id instead of UPN. I could not find any Microsoft guidelines for changing the custom policies for this requirement.
The only links I can see https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin (Microsoft Preview) and https://github.com/azure-ad-b2c/samples/tree/master/policies/username-or-email but its not much helpful interms of what I need to change on local accounts only custom policies to sign-in using alternative login emaill-id. Could someone shed some light on this, please?
When creating the user, add the corporate email into the identities collection.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities
"identities": [
{
"signInType": "emailAddress",
"issuer": "yourB2C.onmicrosoft.com",
"issuerAssignedId": "username#<company domain name>.com"
}
]
I'm following the Microsoft tutorial Create a user (local or social account). So I'm trying to create a user from HTTP call, for this I'm sending a similar payload to the tutorial:
{
"accountEnabled": true,
"creationType": "LocalAccount",
"displayName": "Alex Wu",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"signInNames": [
{
"type": "userName",
"value": "AlexW"
},
{
"type": "emailAddress",
"value": "alexw#gmail.com"
}
],
"userIdentities": [
{
"issuer": "google.com",
"issuerUserId": "MATxTNg5MzYyMzMyMNY1Njc="
}
]
}
My question is how I can generate the issuerUserId as it is necessary for the Google supplier to recognize the user. I'm trying with a random value encode with base64 but when I run the user flow the user it's created again with a duplicate email. I suppose Google don't recognize the issuerUserId.
Update:
Base on Allen Wu answer:
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
I create this issuerUserId with a valid string: 12345678909823456789
As before, I create successfully the user and the source show as Google:
But when I want to log in the account with Google provider
The user is duplicated:
I assume instead of launch Sign in process Azure/Google don't recognize the account's issuerUserId and launch the Sign-up process, for that reason that's why I think issuerUserId might be created by Google.
Some notes:
I'm changed the emails for demo emails, but that is the current
behavior.
I'm only using Google authentication, I don't using email and password fields of the login, because the purpose of the app is only for Social Authentication (Google specifically)
I'm using Sign up and sign in (Recommended) user type flow.
If you have more thoughts about issuerUserId that can help me, let me know, I'll really appreciate.
It's not true.
Based on my test, the user flow won't create a new user which has a duplicate email. (the previous user is created via AAD Graph)
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
And Google / Facebook or any other social idp won't verify it, because this user is created in B2C. It's an B2C local account. ("creationType": "LocalAccount")
Create an B2C local account doesn't mean this user has been created in Google.
I guess that you add Google idp into the user flow and are trying to create a new user in Google rather than B2C.
You should click on the "Sign up now" in user flow to create the local account. Kindly check it.
Update:
As I have mentioned above, the user you created with Azure AD graph is an B2C local account. You should use the default sign in feature to log into that user. B2C will verify your credential.
But when you click on the "Google" to sign in, in fact the Google will verify your credential and will associate your Google account to a new B2C account. It's not a local account.
So they are two different accounts. You can verify this by changing the password of the B2C local account. After changing the password, you still need to use the old password to sign in with the "Google" option. But you will need to use the new password to sign in with the first user (B2C local account).
You can use GET https://graph.windows.net/myorganization/users?api-version to get the two users and find that the issuerUserId of them are different.
I am creating users using the Azure Graph API (using Microsoft.Graph;), and I am seeing issues when I try to add local account users. I want to be able to create an account where the user can log in with a username, such as "jimmy" and not have to specify a domain. I am able to do this with the Azure Portal, but not with Graph API.
When I add users through Graph API, the issue is with the userPrincipalName. I must include a userPrincipalName, and userPrincipalName must include a domain. Conversely, when I create a user account with Azure Portal, I do not specify a userPrincipalName, and the userPrincipalName is created automatically with the format being objectid#mydomain.onmicrosoft.com.
In summary, I want to be able to use the graph API to create a user who can log in as "Jimmy" as I can with the Azure Portal, but I am only able to create a user who can log in as jimmy#mydomain.onmicrosoft.com.
You could generate a GUID and set the UPN to "guid#domain.onmicrosoft.com"? If that's what the portal does, shouldn't it be fine for your app too? If you specify an identity for the user with the username type, they should be able to log in with that.
So you can set the user's identities to something like:
{
"identities": [{
"signInType": "userName",
"issuer": "mydomain.onmicrosoft.com",
"issuerAssignedId": "jimmy"
}]
}
And the UPN can be the generated one with the GUID.
Reference: https://learn.microsoft.com/en-us/graph/api/resources/objectidentity?view=graph-rest-1.0
In Azure B2C with the GraphAPI I can change the email address of an existing user with a http PATCH command:
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
"SignInNames": [
{
"type": "emailAddress",
"value": "demo#domain.com"
}
This works, and I can login with the new email address.
But this leaves the UPN at the old value, do I need to set the UPN as well, or is there no harm in having the UPN stay at the old email address?
Yes, there is no need to update the UPN field.
Using v1.0 version of Microsoft Graph API, the body of the PATCH request to change the SignIn email address should be as following:
{"identities":[{
"signInType":"emailAddress",
"issuer":"yourTenantName.onmicrosoft.com",
"issuerAssignedId":"newemail#email.com"
}]}
That is why (in my opinion) email address should never be the default. Instead choose username account option and email becomes a much easier field to deal with.