How to change SSPR email id when using username(not emailid) to sign in in the contect of Azure B2C

sunny 21 Reputation points
2020-08-10T21:26:30.393+00:00

Is it possible to change SSPR email id when using username(not emailid) to sign in in the context of Azure B2C?

Scenario:
Using Azure B2C
Using username (not email id) to sign in
Email is provided for SSPR
Need to provide option for the user to edit their email id.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,860 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,611 Reputation points Microsoft Employee
    2020-08-19T21:12:21.967+00:00

    @sunny
    Thank you for your patience throughout this issue. I received an update from our engineering team and have done some testing on my end and will post my findings below.

    Engineering team update:
    You need a custom policy which targets rewriting the "strongAuthenticationEmailAddress" attribute
    StackOverflow related question
    A B2C IEF Custom Policy which uses Usernames as the sign in identifier
    Get started with custom policies in Azure Active Directory B2C

    Testing:
    I tested out some alternative ways to reset a user's email and found that you can also do this by having the user go to:
    aka.ms/ssprsetup

    Once logged in, you can have a user change their email address or phone number, and this will update the "Authentication Methods" blade for the user.
    18932-ssprsetup.jpg

    You also have to ensure that you have "Email" checked under "methods available to the user". This is regardless of the "Number of methods required..", it can be set to 1 or 2.
    18895-passwordresetmethods.jpg

    Changed my email just to demonstrate:
    18905-changedemail.jpg

    Lastly, you can also easily change a user's Alternate Email address by using Msol commands.

    Please let me know if you have any other questions.
    Thank you for your time and patience throughout this issue!

    1 person found this answer helpful.
    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Ayush Singh 1 Reputation point
    2020-08-26T09:30:18.383+00:00

    Hi @JamesTran-MSFT
    I was able to edit the strongAuthenticationEmailAddress by modifying the 'ProfileEditWithUsername' user journey defined in the extension file of the policy you suggested above. I persisted the strongAuthenticationEmailAddress in the 'AAD-UserWriteProfileUsingObjectId' technical profile which was used by the above user journey as a validation profile in Orchestration Step 4.

    However, I noticed that if I run the policy to change the strongAuthenticationEmailAddress, the email is changed successfully but the strongAuthenticationPhoneNumber & Alternate phone(used for authentication) is being set to blank.
    Similarly I implemented the edit-MFA phone number policy, and using this I am able to edit the strongAuthenticationPhoneNumber, but it sets the strongAuthenticationEmailAddress to blank.

    Can you please suggest on why this might be happening?
    PFA the user user journey and technical profiles.

    Regards,
    Ayush.

    20478-userjourney.png
    20498-aad-userreadusingobjectid.png
    20499-selfasserted-profileupdate.png
    20500-aad-userwriteprofileusingobjectid.png

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.