User discovery using username without email or phone number - custom policy

Question

User discovery using username without email or phone number - custom policy

Hitesh 1

We have an existing SSO that allows users to reset the password using a username. The following are the steps of the current flow, and we want to keep the same with the B2C customer policy.

User clicks on the reset password link
enters username
System discovers the account using the username and returns the masked email and phone number if they are linked to the account
user selects an email or phone number option and verifies the account using either method

In B2C, I couldn't find an option to discover the account using the username; everything starts with an email address or phone number. I have tried using Graph API User search; however, I couldn't make it work with a custom policy.

Note: we have many users who are either kids or older people without email or phone numbers. They use someone else's email or phone number linked to their account. So the same email cannot be used by multiple users. Can we use any other system design with B2C to achieve this?

1 answer

Your answer

Answer 1

Hello @Hitesh and thanks for reaching out. In order to read a user using the username you have to call the AAD-UserReadUsingAlternativeSecurityId or AAD-UserReadUsingAlternativeSecurityId-NoError technical profile. Input claim is alternativeSecurityId. E.g.

   <TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId">  
     <Metadata>  
       <Item Key="Operation">Read</Item>  
       <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>  
       <Item Key="UserMessageIfClaimsPrincipalDoesNotExist">User does not exist. Please sign up before you can sign in.</Item>  
     </Metadata>  
     <InputClaims>  
       <InputClaim ClaimTypeReferenceId="alternativeSecurityId" PartnerClaimType="alternativeSecurityId" Required="true" />  
     </InputClaims>  
     <OutputClaims>  
       <!-- Required claims -->  
       <OutputClaim ClaimTypeReferenceId="objectId" />  
       <!-- Optional claims -->  
       <OutputClaim ClaimTypeReferenceId="userPrincipalName" />  
       <OutputClaim ClaimTypeReferenceId="displayName" />  
       <OutputClaim ClaimTypeReferenceId="otherMails" />  
       <OutputClaim ClaimTypeReferenceId="givenName" />  
       <OutputClaim ClaimTypeReferenceId="surname" />  
     </OutputClaims>  
     <IncludeTechnicalProfile ReferenceId="AAD-Common" />  
   </TechnicalProfile>

Regarding MS Graph you need to filter by the identities properties. E.g.

GET https://graph.microsoft.com/v1.0/users?$filter=identities/any(x:x/issuerAssignedId eq 'username')

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

Hitesh 1 Reputation point

2022-09-13T16:08:47.867+00:00

Thanks for the answer.

As per the document, this is only for Social accounts. Whereas I need it to look up a local account with a username.
"AAD-UserReadUsingAlternativeSecurityId and AAD-UserReadUsingAlternativeSecurityId-NoError - Look up a social account in the directory."

if it works for the local account. Will it work without authenticating the user? Or the user must be authenticated before using alternativeSecurityId technical profile?

Graph API user search: I have this, but I couldn't make it work with getting a token and then calling the GET in the same step. Do you have any sample technical profiles for this?
https://graph.microsoft.com/v1.0/users?$filter=identities/any(x:x/issuerAssignedId eq 'username')

Share via

User discovery using username without email or phone number - custom policy

1 answer

Your answer