Azure AD B2C IEF - How to prevent user signup from a specific email domain

Yan Xu 1 Reputation point
2022-07-11T22:26:53.907+00:00

Could you please help. We are trying to stop user signup with Azure AD B2C from a specific email doamain. I have tried to call a technical profile (got claimtransformations in) to get the emial domain when user input the email then do a compare claims. at this stage get email domain is fine but the compare does not work. Could you please point me to the right direction? thank you

Regards,

Ken

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
35,061 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 26,756 Reputation points
    2022-07-12T01:00:51.997+00:00

    Hello @Yan Xu , you can add a Precondition to the desired orchestration step that validates that the isValidEmailDomain boolean claim, which will be output by a StringCollectionContains transformation.

       <Preconditions>  
         <!-- Skip this orchestration step if isValidEmailDomain does not exist. -->  
         <Precondition Type="ClaimsExist " ExecuteActionsIf="false">  
           <Value>isValidEmailDomain</Value>  
           <Action>SkipThisOrchestrationStep</Action>  
         </Precondition>  
         <Precondition Type="ClaimEquals" ExecuteActionsIf="false">  
           <Value>isValidEmailDomain</Value>  
           <Value>False</Value>  
           <Action>SkipThisOrchestrationStep</Action>  
         </Precondition>  
       </Preconditions>  
    

    Alternatively, you can implement a custom API to be consumed by a Validation Technical Profile. Depending on the business rules you implement, your API may return an HTTP 200 response and optional claims (such as isValidEmailDomain or none) or a 4xx response with error information that can be handled. Take a look to Define a RESTful technical profile in an Azure Active Directory B2C custom policy and Define a validation technical profile in an Azure Active Directory B2C custom policy. You would send the user email address as an InputClaim. For a complete sample that you can customize take a look to Azure AD B2C: Integrate REST API claims exchanges and input validation.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.