Azure Active Directory
Welcome to the Azure Active Directory Forum.
-
Get user membership groups in the claims with AD B2C
As it's possible in the standard AD by changing the API application manifest option "groupMembershipClaims" to "SecurityGroup", is it possible to return user membership group in the claims with AD B2C?
Now, we can have only the default and custom attributes by adding a signin policy, but it's impossible to get user membership groups.
192 votesWe’re doing some research both on the specifics of this ask as well as what it would take to support this.
Is the ask here to do the same thing that regular Azure AD does (see: https://blogs.technet.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/) or is are there different requirements around this for Azure AD B2C?/Saca
-
Fully customizable verification emails
Currently, Azure AD B2C sends verification codes via emails to end users during sign-up and password reset flows. These emails have limited customization. Add support for full customization of the email body & content.
155 votes -
Add an Azure AD Identity Provider
AADB2C is great, but why not adding an Azure AD provider? We're developing an application where we can have customers with social identities as well as Azure AD identities, it would be great in the AADB2C login page to have an option like "Organization Account". In this way we can code against one single API and not be forced to use two different entry points.
151 votesAuthenticating using an Azure AD identity provider is now in public preview via custom policies. You can check out the instructions here – https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom.
Please note that we expect to have Azure AD and custom OIDC identity providers via built-in policies in the coming weeks.
In the meantime, we would love your feedback if you get a chance to try it out!
/Parakh
-
AADB2C: Send email invitation for new user to sign up
I would like the ability to trigger an email invitation be sent to new users for our web application that I want to authenticate with AADB2C. In our multi-tenant design, each tenant will be responsible for adding their own users to their tenant. I would like the admin of the tenant to be able to send an email invitation to the new user and then that user can complete the sign-up process.
128 votesThank you for the feedback. We are strongly considering this for the future. Today we are focusing on customer facing apps with open self-service signup. /Jose Rojas
-
Customer-owned domains
Run Azure AD B2C's sign-up & sign-in pages under a custom domain, for e.g., login.contoso.com, instead of login.microsoftonline.com.
123 votesDevelopment is underway for a new “Custom Domains” blade in Azure AD B2C which will allow you to add a domain, verify it and upload an SSL certificate that will be used to serve up the login page from the custom domain.
We’re currently hoping to have this available by summer 2017.
If there are specific requirements or scenarios that you’re interested in, please make sure to call them out in the comments section so that we can keep those in mind.
/Saca
-
B2C Fully Customizable Sign-In Page
Create a Sign In Policy by which we can provide our own template for the sign in page. It could work the same way as the Sign Up policy does.
105 votesWe’ve shipped the sign-up/signin policy which allows complete customization. Does this satisfy your needs, or do you need a separate fully customizable sign-in (only) experience?
thank you. /Jose Rojas -
Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers
Hi, Assume, I sign up with Google 'siva@gmail.com', it creates a user in the tenant. I sign up with Facebook 'siva@gmail.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'siva@gmail.com', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?
81 votesThank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?
BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…
We look forward to your feedback
/Jose Rojas
-
Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library, just like Azure AD and Active Directory Authentication Library has.
The Azure AD B2C page has been saying 'Get tokens using a username & password with the OAuth 2.0 Resource Owner Password Credentials Flow (coming soon)' since September 2015.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-protocols/64 votesWe’re currently scoping out this feature and the possibility of getting this in the backlog.
We hope to have an update on this by summer 2017.UPDATE: Just wanted to clarify, this would only work for local accounts as social identity providers (Facebook, Google, etc) don’t support this. We’d appreciate to comments from you guys on whether you are aware and ok with this limitation or get feedback on what you’d expect to see otherwise.
/Saca
-
Reduce pricing for Azure AD B2C
Azure AD B2C seems to be an interesting and very important service, however in my opinion it is >dramatically< overpriced. Having to pay thousands of dollars >per month< just for a few million users is in no relation to other Azure Services.
E.g. Storing 10 million users would cost 950k * €0.00093 + 9mil * €0.00076 = 7723,5€ per month. And this doesn't even include authentications.
This makes me wondering if your case study Real Madrid really would like all of their 450 million fans use this service. I think they would have to sell a player in that case!…61 votes -
60 votes
This is in the works and will be available as a result of custom domains:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334317-customer-owned-domains/Saca
-
AADB2C: How-to on multi-tenant applications based on B2C
As service provider using Azure as the underlying platform, I want to create an application that allows companies to create and manage their tenants and users within my service in order to provide a public service area as well as a privately owned area for the company.
I've read about B2C supporting multi-tenant, but I couldn't find hints within the documentation...
53 votesWe are currently prioritizing Azure AD as and identity provider into B2C. We will review this request after that work is done. Keep the requests coming! /Jose Rojas
-
Multi-language support
Allow support for multiple languages on Azure AD B2C end user pages.
51 votesWe are happy to announce that Language customization is now in public preview. You can now support ui_locales requested languages, localize to browser settings and customize any string in your user experience. You can learn more about how to use this feature here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-language-customization
/Sam
-
Spring Security Support
Storm Path is an example of an API/Service that provides all the same functionality as Azure AD B2C, and actually integrates with Spring Security very easily.
https://stormpath.com/
They provide code samples too:
https://docs.stormpath.com/java/It would be fantastic, and ensure a much wider adoption market, if you were to create an open source project that provided the same easy integration and adoption.
49 votes -
"Change password" policy
Add a new Azure AD B2C policy that allows a signed-in user to change his or her password. Not the same as password reset.
49 votesWe’d like to understand a bit more this ask, particularly how this differs from the “Reset Password” policy.
Ultimately, “Reset Password” allows the user to change his/her password by doing a second factor (email) verification.Is the primary driver behind this ask offering a simpler experience that doesn’t require a second factor?
Basically something like having a “Password” field in the “Edit Profile” policy which the user can change?
Would you expect them to type their old password as well?Please do share as much details with regards to what you’d like to see for this ask.
/Saca
-
SAML protocol support
Azure AD B2C currently supports OpenID Connect and OAuth 2.0. Add SAML protocol support as well.
38 votes -
Add hashed password migration to Azure AD B2C
Currently, I can migrate user accounts from an existing database to Azure AD B2C. However, it only accepts unhashed passwords, which is completely useless for any modern system, which should ONLY be using hashed and salted passwords. What would actually make this feature useful is to include fields for hashed password, hash algorithm (any of several standard ones), salt and salt method (i.e., appended, prepended, etc).
37 votes -
Azure B2C custom user attribute validation like using regex, range etc. e.g. postcode, date of birth
Ability to validate custom attributes like postcode, date of birth etc. On the user sign-up page / edit profile pages, either by providing a validation choice like "RegEx/Range" or by allowing JS.
35 votesThe immediate term is to make this possible by giving you full control of the B2C provided pages (sign up, sign in, etc) by allowing custom javascript (https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15493536-add-support-for-javascript-inside-the-custom-ui-br).
/Saca
-
Custom password complexity
Allow the ability to set different password complexities for local accounts in a B2C tenant.
35 votesThis is in our backlog, we’re capturing the specific requirements.
Please provide your comments as to what you’d like to see on this feature./Saca
-
33 votes
Authenticating using a custom OIDC identity provider is now in public preview via custom policies. You can check out the instructions on how to set up a sample OIDC identity provider like Azure AD here – https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom.
Please note that we expect to have custom OIDC identity providers via built-in policies in the coming weeks.
In the meantime, we would love your feedback if you get a chance to try it out!
/Parakh
-
AADB2C: Add CORS headers to AD B2C token endpoint to allow for implicit flow (XHR POSTS)
We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (id_token&code). However, as this article suggests (https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-reference-oidc.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p=b2c_1_signinpolicy) the browser (quite rightly) performs a preflight check (an OPTIONS…
30 votes
- Don't see your idea?
