Hi, I want to create a custom policy so as to login users. The flow I want is: The user enters email (only email, not password). The user choses in the next step if he wants to get the OTP code via phone sms or phone call. The issue is that the user must be pre registered and I want the email that he enters in step 1 to be validated, so if the email is not from a registered user, raise and error, otherwise go to step 2.

Hello víctor arranz, Thank you for posting your query in the Microsoft Q&A Community. I understand that you would like to create an Azure AD B2C Custom policy for passwordless authentication. The scenario you described above is possible. Kindly follow the link to get the Sample custom policy configuration files. https://github.com/azure-ad-b2c/samples?tab=readme-ov-file#passwordless Let me know if further assistance is needed. Babafemi

Azure AD B2C passwordless login with email verification

víctor arranz 0

Hi, I want to create a custom policy so as to login users.

The flow I want is:

The user enters email (only email, not password).
The user choses in the next step if he wants to get the OTP code via phone sms or phone call.

The issue is that the user must be pre registered and I want the email that he enters in step 1 to be validated, so if the email is not from a registered user, raise and error, otherwise go to step 2.

2 answers

Babafemi Bulugbe 3,375 Reputation points MVP

2024-05-27T10:05:09.5833333+00:00

Hello víctor arranz,

Thank you for posting your query in the Microsoft Q&A Community.

I understand that you would like to create an Azure AD B2C Custom policy for passwordless authentication.

The scenario you described above is possible. Kindly follow the link to get the Sample custom policy configuration files.

https://github.com/azure-ad-b2c/samples?tab=readme-ov-file#passwordless

Let me know if further assistance is needed.

Babafemi
Please sign in to rate this answer.
víctor arranz 0 Reputation points

2024-05-27T10:40:45.5133333+00:00

Yes, I am looking at the Password-less sign-in with email verification example but when I try to delete the facebook lines (I dont want to use facebook or any social login). I get the following error

víctor arranz 0 Reputation points

2024-05-27T10:42:35.63+00:00

Yes, I am looking the Password-less sign-in with email verification example but when trying to delete the Facebook social account login I get the following error

Babafemi Bulugbe 3,375 Reputation points MVP

2024-05-27T12:15:58.7666667+00:00

Hello víctor arranz,

AAD-UserWriteUsingAlternativeSecurityId, AAD-UserReadUsingAlternativeSecurityId, and AAD-UserReadUsingAlternativeSecurityId-NoError are three protocols that work with Social accounts. While AAD-UserReadUsingAlternativeSecurityId and AAD-UserReadUsingAlternativeSecurityId-NoError are meant to look up a social account in the directory, AAD-UserWriteUsingAlternativeSecurityId kicks in when there is a need to create a new social account.

If you have removed the discovery of Facebook as an identity provider in your policy, then you need to comment out the User journey Steps with these protocols in your UserJouney within your TrustFramework policy file

From the error above, kindly comment out the UserJourney steps 3 and 6.

Let me know if it helps.

Babafemi

víctor arranz 0 Reputation points

2024-05-27T12:54:45.1266667+00:00

I get you.

I removed all that flow steps and i can upload the policy. However, when I try to upload de signup_signin.xml file I get the following error

víctor arranz 0 Reputation points

2024-05-27T12:56:55.02+00:00

I uncommented the steps you said and renumbered the other ones so as to follow the sequence

víctor arranz 0 Reputation points

2024-05-27T12:57:57.7866667+00:00

This is my current policy:

<ClaimsProviders> <ClaimsProvider> <DisplayName>Local Account</DisplayName> <TechnicalProfiles>  <TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress-SignIn"> <DisplayName>Sign-In with Email</DisplayName> <IncludeTechnicalProfile ReferenceId="LocalAccountDiscoveryUsingEmailAddress" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> </ClaimsProviders> <UserJourneys> <UserJourney Id="SignUpOrSignInPasswordless"> <OrchestrationSteps> <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin"> <ClaimsProviderSelections>  <ClaimsProviderSelection TargetClaimsExchangeId="SignIn-WithEmail" /> <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /> </ClaimsProviderSelections> <ClaimsExchanges> <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /> </ClaimsExchanges> </OrchestrationStep>  <OrchestrationStep Order="2" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>objectId</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges>  <ClaimsExchange Id="SignIn-WithEmail" TechnicalProfileReferenceId="LocalAccountDiscoveryUsingEmailAddress-SignIn" /> <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /> </ClaimsExchanges> </OrchestrationStep>  <OrchestrationStep Order="3" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimsExist" ExecuteActionsIf="true"> <Value>objectId</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" /> </ClaimsExchanges> </OrchestrationStep>  <OrchestrationStep Order="4" Type="ClaimsExchange"> <Preconditions> <Precondition Type="ClaimEquals" ExecuteActionsIf="true"> <Value>authenticationSource</Value> <Value>socialIdpAuthentication</Value> <Action>SkipThisOrchestrationStep</Action> </Precondition> </Preconditions> <ClaimsExchanges> <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /> </ClaimsExchanges> </OrchestrationStep> <OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /> </OrchestrationSteps> <ClientDefinition ReferenceId="DefaultWeb" /> </UserJourney> </UserJourneys>

Babafemi Bulugbe 3,375 Reputation points MVP

2024-05-27T13:09:04.18+00:00

login-NonInteractive is a TechnicalProfile under the Local Account Claim provider. Under this TechnicalProfile. you should add a valid client id. This technical Profile should be in your TrustFramework Extension file

Follow this link for more information https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy

For the identity provider, you can remove it from the signinsignup policy file

Babafemi

víctor arranz 0 Reputation points

2024-05-27T13:57:39.5933333+00:00

Thank you, it is currently working, but I have this screen as a startpoint ,

how can I modify the directive in order to only have the below sign-in with email option?

Babafemi Bulugbe 3,375 Reputation points MVP

2024-05-27T14:12:50.6133333+00:00

I believe you would like to remove the "sign in with your social account". If this is the case, I am afraid you might not be able to change that for now even when you customize as that is injected by the div as shown in the screenshot below.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy#custom-html-and-css-overview

víctor arranz 0 Reputation points

2024-05-27T14:16:07.33+00:00

I want only de email without password login option

víctor arranz 0 Reputation points

2024-05-27T14:28:23.1066667+00:00

Ok, I got it. Thank you!

Just to go one step deeper. Could I do the same but sending the otp with phone with sms or call? I mean, you send the email and then the otp comes to the phone you set in a screen, not to the previous email. Is it possible? Could you help me to do it?

Babafemi Bulugbe 3,375 Reputation points MVP

2024-05-27T14:50:58.46+00:00

If you want to set up using phone, you need to follow this documentation https://github.com/azure-ad-b2c/samples/tree/master/policies/signup-signin-with-phone-number

víctor arranz 0 Reputation points

2024-05-27T14:56:26.7333333+00:00

But is it possible to use it in the way i want? After sending the email, doing the mfa with the phone?

Babafemi Bulugbe 3,375 Reputation points MVP

2024-05-27T15:11:55.28+00:00

Yes it is, you are going to be doing a lot of updating. A phone factor technical profile will be needed

Follow this link https://github.com/azure-ad-b2c/samples/tree/master/policies/mfa-email-or-phone

víctor arranz 0 Reputation points

2024-05-27T15:28:09.7666667+00:00

Okey, it would be an issue for the future. My aim now is to be able to check the email just after sending it in the first step, as currently the validation is made after entering the otp code, that is when the validation is being performed now and the account is being checked. My UserJourney is:

1: CombinedSignInAndSignUp (is it possible just to sign in? Instead of both).

2: ClaimsExchange SignIn-WithEmail

3: ClaimsExchange SelfAsserted-Social

4: ClaimsExchange ADDUserReadWithObjectId

5: SendClaims

Could you help me?

víctor arranz 0 Reputation points

2024-05-28T12:54:58.42+00:00

Hello?

Babafemi Bulugbe 3,375 Reputation points MVP

2024-05-28T13:17:27.5533333+00:00

I will review this and revert. However, you shouldn't have the step 3 in your userjourney as this is related to social account

víctor arranz 0 Reputation points

2024-05-28T14:32:27.9233333+00:00

Hi, I did some changes and currently my flow is: send email, then send otp code to email, then after validating otp code ask for call or sms to send another otp code. I want if possible to skip the middle part, I mean just to send the email and after that, go directly to the phone step, skipping the otp mail and only using the phone otp

víctor arranz 0 Reputation points

2024-05-28T16:05:57.5433333+00:00

Also my ideal goal would be to check the email before sending any otp code to It, not validate It after writting the otp code as It IS being done now. Is it possible? How?
Sign in to comment
víctor arranz 0 Reputation points

2024-05-27T11:32:25.86+00:00

Please I need more help
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Azure AD B2C passwordless login with email verification

2 answers