Is it possible to create a hidden/private custom policy in Azure?

Mixalis Nikitaras 21 Reputation points
2022-11-08T14:15:26.46+00:00

Hi everyone. I have a normal sign up-sign in flow for the users implemented that requires e-mail verification before the user is registered successfully. However, sometimes the verification code is never received from the customer due to corporate filtering or any other reason.
Is it possible to implement another additional hidden/private signup-signin user flow or custom policy, that allows the user (or me ) to complete the registration without verifying the e-mail address? I want the verificationless policy to work in addition to the normal policy and only for specific cases. I don't want to have a verificationless policy active publicly, because that would compromise the security of the system and make it vulnerable to possible attackers.

Example Case #1: A user tries to register normally. He never receives the verification e-mail. He contacts us, and we enable the otherwise hidden user - flow allowing him (and only him) to complete his registration without verifying the e-mail.

Example Case #2: A user tries to register normally. He never receives the verification e-mail. He contacts us, and we register the user with the specific e-mail and a random (or manually generated) password. We provide the details to the user, and he can sign in successfully.

Is any of these 2 cases possible either with enabling a "private" user flow or custom policy? Any other suggestions for this would be much appreciated.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,701 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,691 Reputation points Microsoft Employee
    2022-11-14T12:42:31.39+00:00

    Hi @Mixalis Nikitaras ,

    Thanks for reaching out and apologies for delay in response.

    Yes, it is possible to register user without email verification. This can be achieved using both user flow and custom policy.

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/disable-email-verification?pivots=b2c-user-flow

    But, as mentioned by you it leads to serious security issues and spam the invalid users in your B2C. I understand you are looking for private user flow or custom policy to handle the verification by administrator only.

    Unfortunately, we don't have any hidden flow to verify user by admin.

    Case 1# However, you can register the user after disabled email verification using local account sign up and then block the user sign in from the portal by navigating to the register user's profile.

    260106-image.png

    If the user's wants to sign in, can contact you and then you can enable user to sign into your application.

    Case 2# You can add the user in B2C manually or using Graph API endpoint with random generated password, which you can provide to user to sign into your application directly without require signup from the user.

    https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments