Block login using TokenIssuanceStart on Entra ExternalID

Question

I'm wondering if it's possible to block login using the 'TokenIssuanceStart' event. I know I can block user registration with AttributeCollectionStart and returning a block action.

In the docs for 'TokenIssuanceStart' (https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-tokenissuancestart-setup?tabs=visual-studio%2Cazure-portal&pivots=azure-portal), I can see how you can add additional claims to the token, but is it also possible to return a block action with this step to prevent a user authenticating? I could purposefully throw an error, but not sure how to handle the outcome of that, and if it would work as I'd want.

Answer 1

Hi @Matthew Paul

Thank you for posting this in Microsoft Q&A.

I understand you are facing a challenge regarding the use of the TokenIssuanceStart event in Microsoft Entra Identity Platform. Specifically, you want to know if it is possible to block user logins during this event, similar to how user registration can be blocked using the AttributeCollectionStart event.

Based on the provided document, The TokenIssuanceStart event is primarily designed for adding claims to tokens during the authentication process. However, it does not directly support blocking user logins in the same way that the AttributeCollectionStart event does for user registration.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.