For my .NET 5 application I am trying to setup Azure AD B2C with local account identity provider with following assumptions:
user accounts are being created for users by administrators, they can have email address or phone number
possibility to login with phone number with One-Time-Password
possibility to login with email and at first login there is email verification with code and password reset/setup
I created userflow for phoneNumber/email, phone logging with OTP is working fine, the problem is with bolded part of last bullet. There is possibility to enable Self-Service-Password-Reset within just an email as local account identity provider userflow and it is working out of the box. But having selected Email/PhoneNumber local account identity provider there is no possibility to get use of that benefit.
I tried to make it as 2 separate userflows: Sign-In and Password-Reset. Again - phone login is working, but while trying to reset email account password I am receiving AADB2C90037 error from Azure.
Is it possible to meet such assumptions using userflow? I checked MS docs and couldn't find explicit anwser. If no, I am assuming I must use custom policy? In that scenario would it be better to use separate sign-in userflow and password reset custom policy, or single sign-in custom policy?
Regards
I Tried to reproduce the same in my environment to reset the password using email in Azure AD B2C, As I got below screen.
(https://i.imgur.com/keSlCCK.png)
Note: Make sure add the Azure B2C password reset policy in Visual Studio
Ex: password reset policy name, such as B2C_1_pwd_reset.
(https://i.imgur.com/seoQy48.png)
Create Application in Azure B2C Tenant
Go to Azure B2C Portal->Manage-> App registrations ->New Registration->Supported account types
(https://i.imgur.com/F598xIo.png)
Create a user flow:
Email-Password-reset for resetting the password.
Azure B2C Portal ->Policies ->Password Reset -> Recomended under Version
(https://i.imgur.com/KsAsdUz.png)
***Edit below VS Code as per the Values to reset the password using Email. ***
"AzureAdB2c": {
"Instance": "https://Tenant Name.b2clogin.com/%22",
"Domain": "Domain Name",
"TenantId": "Tenant ID",
"ClientId": "App Cleint ID",
"CallbackPath": "/signin-oidc",
"SignUpSignInPolicyId": "Signinsignup user flow Name",
"ResetPasswordPolicyId": "Reset User Flow Name",
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*"
}
Run the Visual Studio application and Click on Login/Forgot password,it will redirect to the below page.
Use the existing account credentials to reset the password using email.
(https://i.imgur.com/nTEHGCg.png)
Related
I am working on a authentication/authorization flow with keycloak. I have manually registered some users inside keycloak.
Now, I am using Azure AD as an IDP. When I am trying to login with Azure AD for some email address(email already exists in the keycloak), then I am getting error "User with email <EMAIL> already exists. How do you want to continue?"
Error Screen
My Requirement is to automatically merge my idp authenticated user with the existing keycloack user (same email) by skipping the above screen.
Is there a way to achieve this?
I don't want redundant users in the keycloak for the same email address.
We have an application that uses MSAL.js to authenticate customers to their Azure Active Directories via Active Directory B2C. In the future we will introduce other IDPs in the mix and connect them to the B2C as well. B2C is configured via custom policies. SSO session scope is currently set to Tenant.
The issue is that when user logs out of the application (and we call MSAL.js logout) I can see their ID and Access tokens are gone from the browser Local Storage, but they are are still logged in to their Azure AD because of other apps using it. So next time they login to the app B2C will not prompt them for credentials and automatically sign them in as long as they have AAD session active. I understand this is by design for B2C to support SSO, and we want SSO. However is there a way for a new user with different credentials to login fresh after the previous user logs out in the same browser session?
Set the prompt param to login. EG:
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? prompt=login
Or using MSAL.js:
var request = {
prompt: 'login',
}
userAgentApplication.loginRedirect(request);
I added a user to my Azure Devops project but when they click on the link in the invitation email they get the "401 - Uh-oh, you do not have access." error. What am I doing wrong?
What I did that seems to have worked, was I made the project public, and the other user was able to access it. After they had accessed one time successfully I made it private again. They are still able to get to it.
First, check if your Azure DevOps organization is AAD based or not. Then that invited user should use corresponding account, work/school account for AAD based, personal account for the other. For example:
A highly specific 401 error case. In this case, both a personal Microsoft account and a work or school account (Azure AD) that have the same sign-in address exist. You've signed in with your work or school account, but your personal account is the identity with access to the organization.
More detail explanation you could take a look at our official documentation here:
Why can't I sign in after I select "personal Microsoft account" or
"work or school account"?
Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions. Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out
completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure DevOps.
Open a private or incognito browsing session.
Go to this URL: https://aka.ms/vssignout.
You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps #dev.azure.microsoft.com webpage.
If the sign-out page takes more than a minute to sign you out, close the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
Suggest you to use a InPrivate mode browser to login, then use your Microsoft Account to authenticate, also select personal account if you need to choose between a "work or school account" and my "personal account".
I associated with my other email (mymail#cn.waha.com) with my google account (jinchihe#gmail.com).
When I try to run the gcloud auth login mymail#cn.waha.com, open a web browser, and by default that's gmail and I selected the Use another account to input my other email and password, and then still show Google Cloud Sdk wants to access your Google Account jinchihe#gmail.com, I click Allow but screen shows
ERROR: (gcloud.auth.login) You attempted to log in as account [mymail#cn.waha.com] but the received credentials were for account [jinchihe#gmail.com].
Please check that your browser is logged in as account [mymail#cn.waha.com] and that you are using the correct browser profile.
Seems only can logged in by google account? How can I log in with my mymail#cn.waha.com, I need show mymail#cn.waha.com in gcloud info so pass authentication. Thanks!
You can sign in using one of the following identities:
Google account
Service account
Google group G Suite domain account
If your domain is part of the Google G suite domain then you should be able to log in, using third party domains (such a Hotmail, yahoo, etc) won't let you*. You state that you were able to "log in" into your account through the browser and "allow" the permission. After that you should see a code (random string of text) that you would have to copy and paste into the shell console before continuing the authentication.
*note: you can create a Google Account using a third party email domain, just go to the Create your Coogle Account page and click on "Use my current email address instead" to introduce your personal email (in your case "mymail#cn.waha.com").
Also, according to the error message, you are running the command with "mymail#cn.waha.com" but on the browser you are logging in with "jinchihe#gmail.com" account.
I am facing the following problem:
I have configured an application for single sign on in Azure AD but I get the following error code:
"{"error":"invalid_grant","error_description":"AADSTS65001: The user
or administrator has not consented to use the application with I.....
Send an interactive authorization request for this user and
resource.\r\nTrace ID: .....e"}'"
The permissions are as following:
Permission to other applications:
Windows Azure Active Directory:
Application Permissions: 0
Delegated Permissions: 1 = "Sign in and read user profile"
I have tried by clicking the tile in my apps in portal.office.com and by hitting the sign-on url directly. In the latter case I would expect to be redirected to an office365 page to authenticate myself and continue but instead I get the code above.
Any thoughts?