I am using Azure B2C to handle user access to my App. I have an issue with the reset password workflow.
As part of the reset password process a verification email is sent to the registered email address. However the default template for this is generic and does not look professional or in any way linked to my App.
Is there anyway of customising this template? I have already customised the B2C html pages but cannot find a template for the email?
Thanks Ash
Azure AD B2C supports basic customization of emails sent by Azure AD B2C through Azure AD's Company Branding feature. Customization of the template is not supported at this time, though you can vote for that ask in the Azure AD B2C Feedback forum: Fully customizable verification emails
An alternative would be for you to avoid using the Reset Password policy at all and implement your own reset password mechanism which:
Generates its own codes
Sends its own emails
Has its own code redemption mechanism
Uses the Graph API to reset the user's password
Azure has update it.
Now, it is available here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email
Related
How do I use Azure B2C with Entity Framework, or any other back-end system?
The documentation for Azure B2C does not seem to discuss integration with back-end systems, and I'm at a loss as to how this is achieved.
I do not need the user to authenticate against the database, but I want to store user-specific data in the database. This could entail the use of a Users table, for example.
The design of the DB is up to you.
The normal way is to add the DB primary key of the user as an extension attribute for the user in B2C.
When the user logs in, get the extension attribute and pass it to an API that handles all the DB activity.
See MS documentation Use API connectors to customize and extend sign-up user flows and custom policies with external identity data sources
you can verify that the email address provided by the user exists in
your customer's database, and if not, present an error.
Your RESTful service can receive the user's email address, query the
customer's database, and return the user's loyalty number to Azure AD
B2C
You can use an example
A B2C IEF Custom Policy which authenticates to AAD and calls a REST API for more claims
I have an application that I integrated SSO using Azure AD identify provider. There is an option in Azure AD to delete user. So, the requirement is to sign out from my website when user is deleted in Azure AD. We store SAML token when user is successfully authenticated. Is there any way to check if user is exists or not using SAML token?.
Unfortunately, this is not possible by using SAML Token as of now.
Microsoft recently introduced Continuous Access Evaluation (CAE) for this purpose but the initial implementation of it focuses on Exchange, Teams, and SharePoint Online.
Continuous access evaluation enable services to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. Some examples of these events are:
User Account is deleted or disabled
Password for a user is changed or reset
Multi-factor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Azure AD Identity Protection
I have an Azure AD Tenant that is federated with ADFS.
ADFS has an attribute called "employeeNumber".
When a user authenticates against AAD for accessing our custom Web API, i would like the jwt provided by AAD to contain the claim "employeeNumber".
Once the user is authenticated against the custom Web API, the code must check the presence of this claim and its related value.
I've found some tutorials for doing something like this but they refers to SaaS applications.
Attribute sync tutorial
Custom applications registered in AAD don't have the option "provisioning" that the above link refers to.
Thank you.
Are you using AAD Connect?
That needs to be configured to pass the attribute.
Then you need to tell Azure AD to pass the attribute by modifying the manifest.
I'm working on a project for an education institution and we currently have live#edu set up with the SSO Toolkit 4.5. We have a portal (home grown) that our users log in to using their AD credentials (local AD only) and then we wire up the certificate to pass up to live#edu so they're not prompted again for login creds when they view their MS mail.
MS is going to stop support for this methodology at the end of the year and so we're now in the process of upgrading our environment to work with Office 365 education. As such, we have set up and ADFS with an Azure AD but I'm struggling getting a process in place where our users still only need to enter their login credentials once on our portal (which is externally facing) and then providing them with a token that will persist on their trip to Office 365. Right now it works as follows: users go to portal.microsoftonline.com and enter their email address. When they tab out of that field, MS checks and finds our domain so then redirects the user back to a login page for our ADFS solution. At this point, users are required to log in again (if they're not already logged in) or they're taken to the MS offerings.
Bottom line, instead of making a "single" sign on solution, they've added more places that our users need to provide their credentials (or just username (email address)).
I'm wondering if there's a solution we can provide to our users similar to the SSO Toolkit 4.5 way of doing things where we can authenticate our users only once on our portal, then provide them access to the O365 services?
I'm not an infrastructure guy at all so I may have provided some misinformation above as to how we have things set up. What I do know from our current implementation is that we need to use "WS-Federation".
I'm wondering if a SAML approach would solve the issue I've described above and let us just challenge for credentials once on our portal page.
any ideas or suggestions would be greatly appreciated.
TIA
This is indeed possible. Read about AzureAD access panel (http://blogs.technet.com/b/ad/archive/2014/10/30/customize-your-app-sso-experience-with-azure-ad.aspx)
1) User will navigtate to https://myapps.microsoft.com/{your_school_domain_name.edu} 2) they will be directly redirected to your ADFS server for signin 3) once they signin they will see the list of apps assigned to them (including O365 apps) 4) click on OWA/SharePoint icon and navigate to the app without having to sign in again.
If you quickly want to test 1) and 2) open an in-private/cognito browser and navigate to https://myapps.microsoft.com/microsoft.com - you will not see O365 or Azure AD signing page - instead you'll be taken directly to the MSIT ADFS signin page.
Hope this helps.
I am in the process of scoping out whats involved in setting up single sign on using SAML and ADFS. A query has come back that I can't answer and can't seem to find anywhere.
Is it possible to carry out the usual user profile actions via ADFS? For example :
Can I register new users via ADFS?
Can I provide forgotten password / reset password functionality via ADFS?
I'm getting confused and have a feeling I am barking up the wrong tree!
No, AD FS only delivers security tokens for Active Directory accounts, after providing some form of credentials for such an account. It does not make any kind of changes in Active Directory, nor anywhere else.
No, AD FS has no 'reset password' functionality. However, the AD FS sign-in pages can be customized, and the functionality to change the (AD) password can be added by customizing/creating the appropriate ASP.NET pages. Been there, done that. Unfortunately I cannot share that code.
(This answer applies to AD FS 2.0 only; I'm not sure about AD FS 1.0.)
#Marnix is correct - ADFS is an "Access Manager" not an "Identity Manager".
As you can customise pages, there is nothing stopping you creating provisioning pages or adding links to a provisioning system.
Word to the wise: The "standard" ASP.NET membership pages provision to a SQL DB which won't help you. ADFS authenticates against AD only. You need to use AD membership.
Also, for internal users who login to their desktop with WIA and SSO behind the scenes with ADFS, you get the standard password functionality e.g. password about to expire, change password etc.
In addition to that: Microsoft has another product which integrates with ADFS (and other auth mechanisms) called Forefront Identity Manager which provides password reset / user self management as well as account creation via delegated fine granted rights. All that using a web-interface.
i guess that is what you're looking for.
However: adfs itself is only a tool to provide federation and SSO - so it's there for authentication / delegation, not mangement.