This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 53%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
I have started using custom policies for our B2C Tenant and while doing so I had the requirement that the email confirmation has to be done on a separate page. As such, I added an extra step after the signup form on which I implemented the email confirmation UI component. The user is only written to B2C after that email confirmation is done. My problem is now, that if I add the ValidationTechnicalProfile "AAD-UserWriteUsingLogonEmail" right in the signup form with all the fields it creates the user just as intended, but if I wait with it until the second journey step where I confirm the email address, the user is created with all intended data, but is always disabled. Even if I add the accountEnabled variable manually and set it to true, the user is still disabled. When debugging in Azure insights, the claim for accountEnabled is always true in all steps, but the audit log on the Azure platform for creating the user shows the claim as false in the modified properties tab. Is there anything that B2C requires for it to not automatically disable the user? The first step that gathers user data:
<TechnicalProfile Id="LocalAccountSignUpWithLogonEmailCustom">
<DisplayName>Email signup</DisplayName>
<Protocol
Name="Proprietary"
Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
/>
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignup</Item>
<Item Key="language.button_continue">Create</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="GetCurrentDateTime" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim
ClaimTypeReferenceId="extension_termsOfUseConsentChoice"
DefaultValue="AgreeToTermsOfUseConsentNo"
/>
</InputClaims>
<DisplayClaims>
<DisplayClaim ClaimTypeReferenceId="email" Required="true" />
<DisplayClaim ClaimTypeReferenceId="newPassword" Required="true" />
<DisplayClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<DisplayClaim ClaimTypeReferenceId="givenName" Required="true" />
<DisplayClaim ClaimTypeReferenceId="surName" Required="true" />
<DisplayClaim ClaimTypeReferenceId="extension_companyName" />
<DisplayClaim ClaimTypeReferenceId="country" />
<DisplayClaim ClaimTypeReferenceId="city" />
<DisplayClaim ClaimTypeReferenceId="extension_termsOfUseConsentChoice" Required="true" />
</DisplayClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Email" Required="true" />
<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<!-- Optional claims, to be collected from the user -->
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" />
<OutputClaim ClaimTypeReferenceId="extension_companyName" />
<OutputClaim ClaimTypeReferenceId="country" />
<OutputClaim ClaimTypeReferenceId="city" />
<OutputClaim ClaimTypeReferenceId="extension_termsOfUseConsentChoice" Required="true" />
</OutputClaims>
</TechnicalProfile>
The second step that checks the email and then writes the user:
<TechnicalProfile Id="verifyEmailsignup">
<DisplayName>Verify email signup</DisplayName>
<Protocol Name="Proprietary"
Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="GetLocalizedStringsForEmail" />
<InputClaimsTransformation ReferenceId="CreateReadonlyEmailClaim" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="email" />
<InputClaim ClaimTypeReferenceId="readOnlyEmail" />
</InputClaims>
<DisplayClaims>
<DisplayClaim DisplayControlReferenceId="emailVerificationControlSignup" />
</DisplayClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="readOnlyEmail" Required="true" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="Email" Required="true" />
<OutputClaim ClaimTypeReferenceId="newPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="reenterPassword" Required="true" />
<OutputClaim ClaimTypeReferenceId="executed-SelfAsserted-Input" DefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
<OutputClaim ClaimTypeReferenceId="newUser" />
<!-- Optional claims, to be collected from the user -->
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" />
<OutputClaim ClaimTypeReferenceId="extension_companyName" />
<OutputClaim ClaimTypeReferenceId="country" />
<OutputClaim ClaimTypeReferenceId="city" />
<OutputClaim ClaimTypeReferenceId="extension_termsOfUseConsentChoice" Required="true" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="UserInputDisplayNameGenerator" />
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />
</ValidationTechnicalProfiles>
</TechnicalProfile>
UPDATE:
After escalating this issue for a while, it turns out that the password value can only be used on the step that it was collected on for security purposes. As such, creating the user on any subsequent step always creates it without a password and that means that the user is disabled.
In my project, I am now creating the user already on the password form step but disable it myself and then reenable it again after checking the email later. I hope this helps.
After escalating this issue for a while, it turns out that the password value can only be used on the step that it was collected on for security purposes. As such, creating the user on any subsequent step always creates it without a password and that means that the user is disabled.
In my project, I am now creating the user already on the password form step but disable it myself and then reenable it again after checking the email later. I hope this helps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Pietrykiewicz, Dorian (XCNT-DE) ,
Thanks for reaching out.
Based on the information you provided, it seems that you are using the "AAD-UserWriteUsingLogonEmail" technical profile to create the user. This technical profile is responsible for writing the user to Azure AD B2C.
To enable the user account, you need to set the "accountEnabled" claim to "true" in the output claims of the technical profile. You can do this by adding the following line to the output claims of the "AAD-UserWriteUsingLogonEmail" technical profile:
<OutputClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="true" />
This should enable the user account when it is created. Please note that you need to add this line to the output claims of the technical profile that is responsible for creating the user, not the one that is responsible for verifying the email address. Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 96%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYR%3C/text%3E%3C/svg%3E)
@Shweta Mathur
I have the same problem.
The user is written to B2C after the email verification.
I tried your suggestion, its not working.
I have set below output claim to AAD-UserWriteUsingLogonEmail Technical Profile
<OutputClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="true" />
and below line to PersistedClaims to AAD-UserWriteUsingLogonEmail Technical Profile
<PersistedClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="true" AlwaysUseDefaultValue="true"/>
The account that was created is still disabled by default. Can you have a look at this?
We escalated this issue to some engineers that work on B2C and it turns out that the password can only be used exactly on the step that it is input. Any user created in further steps has no password and is therefore disabled. There is no way to change this behavior and as such I changed my project to create the user on the passwords form but disable the user first and then check the email afterward and use it to enable the user again.
@Pietrykiewicz, Dorian (XCNT-DE) Thanks for the swift response. I will change my policy to handle this.
i wish Microsoft had documented this behaviour, it would have saved a lot of time.
This whole ordeal took over a month until I got my answer and I made it clear this should be documented but I guess it hasn't happened yet... But at least I updated my question here for now to show this information, so maybe it will help a few people.