Azure AD B2C SignUp-SignIn policy with MFA turned

2019-04-17 01:09发布

问题:

I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.

Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available

回答1:

forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.

In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.

One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.

There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:

  • Support Force Password Reset
  • Fully Customizable Sign-In Page

UPDATE

For the DIY approach:

  1. Create the users by setting up an Azure AD app for your back-end API as outlined here: https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
  2. Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
  3. Send the users directly to the reset password URL /authorize/ url..