Azure AD B2C | Can we get last login of user in azure ad b2c accesstoken in claims ?

Abhay Chandramouli 971 Reputation points
2022-04-25T09:43:45.233+00:00

I want last_login log for a user inside the access token when we login to az ad b2c. Is that possible ?

Thanks

@AmanpreetSingh-MSFT can you please help on this ?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,752 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,486 Reputation points
    2022-04-26T05:58:30.753+00:00

    anonymous user • Thank you for reaching out.

    Azure AD B2C by default doesn't store the last login time of the users. However, you can create a custom claim that can capture the current date and time (during users' sign-in) and pass that in the access token issued after sign-in. You can then configure your application to read this claim and store it to keep track of the last time the user logged in. You can also write this value to the user's property in the B2C directory by persisting the claim but that would be a complicated task and would require a lot of testing as there is no sample currently available for this purpose.

    For this purpose, you need to perform the below steps:

    1. Create a custom claim:
      <ClaimType Id="extension_LastLogin">  
        <DisplayName>extension_LastLogin</DisplayName>  
        <DataType>dateTime</DataType>  
        <UserInputType>Readonly</UserInputType>  
      </ClaimType>  
      
    2. Create a claims transformation rule:
      <ClaimsTransformation Id="GetLastLoginDateTime" TransformationMethod="GetCurrentDateTime">  
                  <OutputClaims>  
                      <OutputClaim ClaimTypeReferenceId="extension_LastLogin" TransformationClaimType="currentDateTime" />  
                  </OutputClaims>  
      </ClaimsTransformation>  
      
    3. Update the login-NonInteractive technical profile.
      <TechnicalProfile Id="login-NonInteractive">  
      	...  
      	  <InputClaimsTransformations>  
      		   <InputClaimsTransformation ReferenceId="GetLastLoginDateTime" />  
      	  </InputClaimsTransformations>  
            <InputClaims>  
              <InputClaim ClaimTypeReferenceId="signInName" />  
      		<InputClaim ClaimTypeReferenceId="extension_LastLogin" />  
            </InputClaims>  
            <OutputClaims>  
      	...  
      		<OutputClaim ClaimTypeReferenceId="extension_LastLogin" />  
            </OutputClaims>  
      
    4. Update the output claims of the SelfAsserted-LocalAccountSignin-Email technical profile.
      <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">  
      	...  
            <OutputClaims>  
      	...  
      		<OutputClaim ClaimTypeReferenceId="extension_LastLogin" />  
            </OutputClaims>  
      
    5. Update the output claims in the Signup/Sign-in XML file: <OutputClaim ClaimTypeReferenceId="extension_LastLogin" PartnerClaimType="LastLogin" />

    Note: If you are not using email-based sign-ins, you would need to update the relevant technical profile.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.