How to identify user fisrt sign in on Azure B2C?

Raphael ramos 41 Reputation points
2022-06-16T15:20:27.857+00:00

Is there a recommended approach on how to identify the first time a user signs in using AAD B2C?

I intend to use this information in order to decide whether or not to send users an MFA authentication code.

So far I just came up with persisting an extension claim 'isUserFirstSignIn' defaulted to false at signup and read using "AAD-UserReadUsingObjectId" it for every user journey in order to decide when to call "PhoneFactor-Verify" technical profile:

    <OrchestrationStep Order="4" Type="ClaimsExchange">  
          <Preconditions>  
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">  
              <Value>isActiveMFASession</Value>  
              <Action>SkipThisOrchestrationStep</Action>  
            </Precondition>  
            <Precondition Type="ClaimEquals" ExecuteActionsIf="false">  
              <Value>extension_userFirstSignInAttempt</Value>  
              <Value>false</Value>  
              <Action>SkipThisOrchestrationStep</Action>  
            </Precondition>  
          </Preconditions>  
          <ClaimsExchanges>  
            <ClaimsExchange Id="PhoneFactor-Verify" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify"/>  
          </ClaimsExchanges>  
        </OrchestrationStep>  

I think this approach adds more complexity to my policies and wonder if there is a better strategy to address this scenario. Appreciate your input :)

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,987 questions
0 comments No comments
{count} votes

Accepted answer
  1. Michael Taylor 56,271 Reputation points
    2022-06-16T16:40:30.76+00:00

    Firstly note that B2C already supports MFA so you might consider just using it rather than rolling your own.

    There is an indicator when the user signs up the very first time that this is a new user. However in my experience it is not reliable. The issue is that it only works in the happy path case. Imagine you redirect to B2C, the user creates an account and then B2C starts to redirect back to you. For whatever reason that doesn't work. The user could close out of the browser, your site could be down or there could be any # of network issues. Irrelevant the user never gets back to your site. They then log in again and successfully redirect to your site. The indicator isn't set anymore because this isn't a new user as far as Azure is concerned.

    The correct approach is the approach you're talking about. You need to store your own "first time" indicator. How you do that is up to you. Many apps require the user to accept a T&C so maybe you store that into a B2C claim. Alternatively if you need to map B2C users to your internal system then you could handle it by whether you've already mapped the user to your internal system before or not. Irrelevant you'll need to update the indicator once the user has successfully done whatever you need them to do.

    This is actually also a good idea in cases where your system has been around a while but you need to migrate users to a new condition. For example maybe you already have users in the system that didn't have MFA. By keeping your own indicator you can treat pre-MFA users the same as new users without having to write any extra code.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.