Azure AD B2C: Multi-Tenant Entra ID automatically enable accounts

Jeremy Ramsey 0 Reputation points
2024-04-18T02:52:45.0033333+00:00

I have followed this tutorial to set up sign-in for multitenant Microsoft Entra ID using custom policies in Azure Active Directory B2C. Everything is working except all newly created accounts are disabled by default. I would like to have all new accounts (either local or via social logins) to automatically be enabled.

I found a similar question, but as far as I can tell, the AAD-UserWriteUsingLogonEmail technical profile is not being used. The closes thing I could find was the AAD-UserWriteUsingAlternativeSecurityId profile, but adding <OutputClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="true" /> or <PersistedClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="true" /> had any affect on automatically enabling the account.

Given the flow from the tutorial, where is the proper place to have the accountEnabled set to true?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,880 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,643 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 21,776 Reputation points Microsoft Employee
    2024-04-18T19:44:00.68+00:00

    Hi @Jeremy Ramsey , here's an example using AAD-UserWriteUsingAlternativeSecurityId. If this doesn't work we can open a support ticket and see what's going on.

    Add the following line to the AAD-UserWriteUsingAlternativeSecurityId technical profile:

    <PersistedClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="true" />

    This will set the accountEnabled attribute to true for all newly created accounts. Make sure to add this line within the PersistedClaims element of the technical profile.

    Here's an example of what the AAD-UserWriteUsingAlternativeSecurityId technical profile should look like with the accountEnabled attribute added:

    <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId">
  <Metadata>
    <Item Key="Operation">Write</Item>
    <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
  </Metadata>
  <PersistedClaims>
    <PersistedClaim ClaimTypeReferenceId="alternativeSecurityId" />
    <PersistedClaim ClaimTypeReferenceId="email" />
    <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password"/>
    <PersistedClaim ClaimTypeReferenceId="displayName" />
    <PersistedClaim ClaimTypeReferenceId="givenName" />
    <PersistedClaim ClaimTypeReferenceId="surname" />
    <PersistedClaim ClaimTypeReferenceId="objectId" />
    <PersistedClaim ClaimTypeReferenceId="tenantId" />
    <PersistedClaim ClaimTypeReferenceId="accountEnabled" DefaultValue="true" />
  </PersistedClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" />
    <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
    <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
  </OutputClaims>
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James