Failing authentication in B2C based on condition

Arturo 46 Reputation points
2019-11-13T14:55:59.287+00:00

How can I make a user journey fail and return message to UI or client based on conditions?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,759 questions
0 comments No comments
{count} votes

Accepted answer
  1. FrankHu-MSFT 976 Reputation points
    2019-11-13T22:20:33.497+00:00

    Hello Artmasa,

    You should be able to utilize the validation technical profile that is described here : https://learn.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile

    Here you can customize the error and what items to check.

    Per the doc :
    * A validation technical profile can be conditionally executed based on preconditions defined in the ValidationTechnicalProfile element. For example, you can check whether a specific claims exists, or if a claim is equal or not to the specified value.*

    In addition to that you can also utilize REST API Validation for even more customization, this is documented here : https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-validation-custom

    From the doc :

    Include the RESTful service claims exchange in self-asserted technical profile where you want to validate the user input
    The most common use of the validation step is in the interaction with a user. All interactions where the user is expected to provide input are self-asserted technical profiles. For this example, we will add the validation to the Self-Asserted-ProfileUpdate technical profile. This is the technical profile that the relying party (RP) policy file Profile Edit uses.
    To add the claims exchange to the self-asserted technical profile:
    Open the TrustFrameworkBase.xml file and search for .
    Review the configuration of this technical profile. Observe how the exchange with the user is defined as claims that will be asked of the user (input claims) and claims that will be expected back from the self-asserted provider (output claims).
    Search for TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate, and notice that this profile is invoked as orchestration step 5 of .

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. FrankHu-MSFT 976 Reputation points
    2019-11-13T22:23:09.14+00:00

    Hello Artmasa,

    You should be able to utilize the validation technical profile that is described here : https://learn.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile

    Here you can customize the error and what items to check.

    Per the doc : A validation technical profile can be conditionally executed based on preconditions defined in the ValidationTechnicalProfile element. For example, you can check whether a specific claims exists, or if a claim is equal or not to the specified value.

    In addition to that you can also utilize REST API Validation for even more customization, this is documented here : https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-validation-custom

    From the doc :

    Include the RESTful service claims exchange in self-asserted technical profile where you want to validate the user input The most common use of the validation step is in the interaction with a user. All interactions where the user is expected to provide input are self-asserted technical profiles. For this example, we will add the validation to the Self-Asserted-ProfileUpdate technical profile. This is the technical profile that the relying party (RP) policy file Profile Edit uses. To add the claims exchange to the self-asserted technical profile: Open the TrustFrameworkBase.xml file and search for . Review the configuration of this technical profile. Observe how the exchange with the user is defined as claims that will be asked of the user (input claims) and claims that will be expected back from the self-asserted provider (output claims). Search for TechnicalProfileReferenceId="SelfAsserted-ProfileUpdate, and notice that this profile is invoked as orchestration step 5 of .

    0 comments No comments