B2C sign up and disposable email addresses

Question

B2C sign up and disposable email addresses

Louis 0

Dear Community,

Do you perhaps know of a solution to prevent sign-up to Azure B2C from a disposable / hide my email service such as [https://www.1secmail.com/]

Thank you

2 answers

Your answer

Answer 1

TP 126.4K Volunteer Moderator

Hi Louis,

What you could do is send the email address to your own REST API and it would check the address using one of the email validation services that can detect disposable addresses. If your service gets a result back that the address is fake/disposable, then you would return an error response which would block the sign-up.

It appears that below sample code be modified to do what you need:

https://github.com/azure-ad-b2c/rest-api

To find an API service that can detect disposable addresses, if you search the web for "email validation api service disposable" you will get multiple to choose from.

Please click Accept Answer if the above was useful.

Thanks.

-TP

Louis 0 Reputation points

2023-07-10T06:17:14.71+00:00

Thank you TP, appreciate the feedback and input. Do you perhaps know if the Azure B2C P2 SKU (or another solution) can assist against sign-ups from BOTS via an API using these disposable email services?
TP 126.4K Reputation points Volunteer Moderator

2023-07-10T07:00:53.8433333+00:00

Hi Louis, yes, Azure B2C has the necessary plumbing to do what you need via a Validation Technical Profile, however, you will need to have your own custom REST API as I mentioned above. There is some programming that will be required.

I'm not aware of a pre-built solution in Azure B2C P2 SKU that allows you to do the validation against one of the disposable email detection services without any coding/customization.
Louis 0 Reputation points

2023-07-10T07:31:56.64+00:00

Thank you TP for your continued support. Will Azure B2C P2 however protect sign up coming from a Malicious IP address or BOT? I am just trying to understand if a P2 can add an additional layer of security for sign up. It looks like it does add additional protection for sign in.
TP 126.4K Reputation points Volunteer Moderator

2023-07-10T08:54:10.7033333+00:00

You can use small number of the risk detections in Identity Protection as an additional layer, yes. For example, you might see report of sign-ins detected as Malicious IP and decide you want to disable those accounts. Note that Malware IP detection is listed under B2C, but this has been deprecated so wouldn't work. Malicious IP isn't listed for B2C, so unsure if my example above would work for B2C or not. Please see article:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-protection-investigate-risk?pivots=b2c-user-flow#service-limitations-and-considerations

Regardless, I think blocking sign ups from disposable addresses will be important as first line defense to cut down on garbage.
Louis 0 Reputation points

2023-07-11T07:00:50.64+00:00

Hello TP-

Sincerely appreciate your input. Thank you once again!

Answer 2

Hei @Louis Coetzee

Thank you for contacting Microsoft community.

The kind of domains you refer to provide an email address for a limited time, ranging from a couple of minutes to a couple of hours.

The whole purpose of such email addresses is to enable the user to bypass immediate email validation.

Most people end up using most famous ones and this here gives an opportunity to manually identify these top domains.

A google search for "disposable email domains database" will lead to several sources that have similar lists.

One example is this GITHUB repo here

It is possible to use these domains to create a custom API or a precondition that responds when a user inputs an email that matches the identified email domains.

The following thread has a discussion that deals with similar issue, here

Please mark this as answer if it helped.

Louis 0 Reputation points

2023-07-10T06:17:51.4366667+00:00

Thank you Dashanan, appreciate the feedback and input. Do you perhaps know if the Azure B2C P2 SKU (or another solution) can assist against sign-ups from BOTS via an API using these disposable email services?

Share via

B2C sign up and disposable email addresses

2 answers

Your answer