In Azure AD B2C the Sign up process with Phone is expecting the emailId during the sign up process.
Our use case is that we just need to ask the user only Phone number during the sign up process. Is there a way that we can avoid asking the emailid from the user during Sign up process with Phone?
Thanks,
SathKaal
Just move the comment to answer so that this post can be treated as resolved.
OTP (one-time password) should be the option for you. The sample which juunas mentioned is helpful.
And you can follow this official document Set up phone sign-up and sign-in with custom policies in Azure AD B2C, which allows you to use phone number to sign up and sign in in Azure Active Directory B2C.
Related
I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!
The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.
Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.
I am working on Azure AD B2C phone sign-up and sign-in with custom policies. I followed the documentation and completed the flow and it's working fine as shown in the documentation.
But I want to remove that additional email address verification from the phone number signup flow. I am trying by editing the custom policies but I couldn't make it. Please help me.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/media/phone-authentication/email-verification.png
I'm trying to login and vote on https://feedback.azure.com/forums/915433-azure-sphere/suggestions/36196912-allow-for-transfering-device-ownership
While using my personal microsoft account, it says "Selected user account does not exist in tenant 'UserVoice, Inc.' and cannot access the application '91a42e81-999b-4cf1-aa36-bb33f25ff53b' in that tenant. The account needs to be added as an external user in the tenant first. "
As I understand, it's a problem on UserVoice tenant and i have no access to it to add my email as guest user.
You need to login with a Azure Active Directory user account, personal account is not allowed here.
The login endpoint is https://login.microsoftonline.com/common/oauth2/authorize?client_id=91a42e81-999b-4cf1-aa36-bb33f25ff53b&redirect_uri=https%3A%2F%2Ffeedback.azure.com%2Fauth%2Foidc%2Fcallback&response_type=code&scope=openid+email+profile+offline_access&state=98a2f664a4ff12e695a7d482dbf1f6a07a0901f95171d70f6cb779639b71e979&sso_reload=true
It is a multi-tenant application with v1.0 endpoint. So you can login with any Azure Active Directory tenant users. Only v2.0 endpoint supports personal accounts.
Azure Sphere does now support signing in with a personal account. (Though it did not at the time the questions was asked, and the first answer was given.)
If you are working with Multitenant stuff you need to use following endpoints.
Login url: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token Url:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
We have several Azure AD B2C applications for user login. We are thinking of implementing hardware login to avoid user to login in credentials (username and password). They can just get logged in with NFC cards or faceId
An example of an app, which has been integrated using AppAuth for iOS with Azure AD B2C and uses Touch ID to protect access to the refresh tokens that are issued by Azure AD B2C, can be found at https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/AppSamples-iOS-TouchID-master.
You should be able to extend this to Face ID.
Our application is mainly used by internal users, who authenticate through AAD. Some pages need to be accessible to third-parties. Right now we are using custom tokens, but would like to switch to Azure AD B2B Invite API.
We just did some manual test runs and it seems to work exactly as expected, except for one thing: when inviting my standalone email address, I was asked to create a Microsoft account, which is fine. However, to do so, I had to first verify my email address (code sent to email) and then my phone (code sent via sms).
Is there any way to disable ideally both or at least the phone verification?
The only resource I found so far states that it's possible in B2C, which is not what we want.
The standalone email addresses has to undergo the invitation redemption process. In order to be able to invite people without redemption in Azure AD B2B you need an account with directory read permission of the partners tenant. Then you can add that user to your tenant with "Guest Inviter" role. Then that user can add the users to your tenant without invitation redemption process. Refer: Azure AD B2B: How to bulk add guest users without invitation redemption.