How to add email verification after each sign in, Azure AD b2c, custom policy

Iria Poncela Blanco 1 Reputation point
2022-12-05T23:55:21.507+00:00

Hi,
This is the scenario that I have got for an only sign in policy:
1.- user introduces email and password.
2.- user receives OTP to his signing email address.
3.- user introduces otp and gets verified.
4.- user is signed in and token is issued.

Using the policies in the starter pack I have tried the following:

<UserJourney Id="SignIn">  
            <OrchestrationSteps>  
                <OrchestrationStep Order="1"  
                                   Type="CombinedSignInAndSignUp"  
                                   ContentDefinitionReferenceId="api.localaccountsignin">  
                    <ClaimsProviderSelections>  
                        <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />  
                    </ClaimsProviderSelections>  
                    <ClaimsExchanges>  
                        <ClaimsExchange Id="LocalAccountSigninEmailExchange"  
                                        TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />  
                    </ClaimsExchanges>  
                </OrchestrationStep>  
                <!-- This step reads any user attributes that we may not have received when in the token. -->  
                <OrchestrationStep Order="2"  
                                   Type="ClaimsExchange">  
                    <ClaimsExchanges>  
                        <ClaimsExchange Id="AADUserReadWithObjectId"  
                                        TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />  
                    </ClaimsExchanges>  
                </OrchestrationStep>  
                <OrchestrationStep Order="3"  
                                   Type="SendClaims"  
                                   CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />  
                <!-- Track that we have successfully sent a token -->  
            </OrchestrationSteps>  

The problem is that I am stack at this point: I have changed the following technical profile:

            <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">  
                <DisplayName>Local Account Signin</DisplayName>  
                <Protocol Name="Proprietary"  
                          Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
                <Metadata>  
                    <Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>  
                    <Item Key="setting.operatingMode">Email</Item>  
                    <Item Key="ContentDefinitionReferenceId">api.localaccountsignin</Item>  
                    <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>  
                </Metadata>  
                <IncludeInSso>false</IncludeInSso>  
                <InputClaims>  
                    <InputClaim ClaimTypeReferenceId="signInName"  
                                DefaultValue="{OIDC:LoginHint}"  
                                AlwaysUseDefaultValue="true" />  
                    <!--InputClaim ClaimTypeReferenceId="email" /-->  
                </InputClaims>  
                <OutputClaims>  
                    <!--OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Verified.Email" Required="true" /-->  
                    <OutputClaim ClaimTypeReferenceId="signInName"  
                                 Required="true" />  
                    <OutputClaim ClaimTypeReferenceId="password"  
                                 Required="true" />  
                    <OutputClaim ClaimTypeReferenceId="objectId" />  
                    <OutputClaim ClaimTypeReferenceId="authenticationSource" />  
                </OutputClaims>  
                <ValidationTechnicalProfiles>  
                    <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />  
                </ValidationTechnicalProfiles>  
                <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />  
            </TechnicalProfile>  

But the user verifies the email first then, asks for username and password, so there are 2 places where to put the email address (wrong), and the verification comes before the authentication. How do I fix this?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,610 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 15,856 Reputation points Microsoft Employee
    2022-12-08T06:44:46.87+00:00

    Hello @Iria Poncela Blanco

    Thank you for posting your query on Microsoft Q&A. From the description I was able to conclude that you are looking for MFA via email at each sign-in attempt.

    This could be achieved via Email Multi-factor authentication.

    • At Sign In, the email address authenticated with is copied into a read only attribute readOnlyEmail via an input claim transformation in the EmailVerifyOnSignIn technical profile.
    • The readOnlyEmail claim is passed as an input claim to the EmailVerifyOnSignIn self asserted technical profile to validate the email address via verification code. This is made possible by using PartnerClaimType="Verified.Email" in the output claims section.
    • The user journey only calls the EmailVerifyOnSignIn self-asserted technical profile if the user is not a new user. This bypasses this particular step if the user is signing up.

    Kindly refer to samples for testing this further and let me know if you have any queries in the comments section.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.

    0 comments No comments