Entra External ID: Additional Sign-In options after disabling sign-up link

metalheart 386 Reputation points
2024-11-26T13:54:12.6133333+00:00

I have disabled the sign-up link like below in my user flow:

PATCH https://graph.microsoft.com/v1.0/authenticationEventsFlows/<id>
{
	"@odata.type": "#microsoft.graph.externalUsersSelfServiceSignUpEventsFlow",
	"onInteractiveAuthFlowStart": {
		"@odata.type": "#microsoft.graph.onInteractiveAuthFlowStartExternalUsersSelfServiceSignUp",
		"isSignUpAllowed": false
	}
}

After doing this, I'm getting additional sign-in options (face, fingerprint or security key):
User's image

As soon as I change isSignUpAllowed back to true, it goes away.

I would like to have a disabled sign-up link but without these additional options - how?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,956 questions
{count} votes

Accepted answer
  1. Raja Pothuraju 9,460 Reputation points Microsoft Vendor
    2024-11-28T20:24:56.5466667+00:00

    Hello @metalheart,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that when you set isSignUpAllowed: false in the user flow, you observe a different login page. Conversely, when you change it back to isSignUpAllowed: true, the "Sign-in options" tab is no longer visible on the login page.

    I tested this scenario in my environment and observed the same behavior.

    When the flow is set to isSignUpAllowed: false, the CIAM login page behaves as follows:User's image

    When the flow is set to isSignUpAllowed: true, the CIAM login page changes to this:

    User's image

    I reached out to the product engineering team regarding this behavior. They have identified the issue and confirmed that a fix has been developed. The complete fix will be rolled out to all tenants next month. Until then, this behavior will persist when isSignUpAllowed: false is configured for user flows.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. James Hamil 26,131 Reputation points Microsoft Employee
    2024-11-28T01:25:04.48+00:00

    Hi @metalheart , you can adjust the authentication methods policy to make sure only the sign-in methods you want are available. You can do this through the Azure portal or by using the Microsoft Graph API.

    For example, you can use the Microsoft Graph API to disable specific methods like face or fingerprint:

    PATCH https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy
    Content-Type: application/json
    {
      "authenticationMethodConfigurations": [
        {
          "id": "Email",
          "state": "enabled"
        },
        {
          "id": "Fido2",
          "state": "disabled"
        },
        {
          "id": "MicrosoftAuthenticator",
          "state": "enabled"
        },
        {
          "id": "TemporaryAccessPass",
          "state": "disabled"
        },
        {
          "id": "PhoneNumber",
          "state": "enabled"
        },
        {
          "id": "WindowsHelloForBusiness",
          "state": "disabled"
        }
      ]
    }
    
    
    

    More information here: https://learn.microsoft.com/en-us/graph/api/fido2authenticationmethodconfiguration-update?view=graph-rest-1.0&tabs=http

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.