Azure AD B2C, How to Avoid / Validate, duplicate Sign up with Social Identity Providers
Hi, Assume, I sign up with Google 'firstname.lastname@example.org', it creates a user in the tenant. I sign up with Facebook 'email@example.com', it creates another user in the tenant. Also I went and Sign up using email account, for 'firstname.lastname@example.org', now am finding 3 users with same email id. I see this is a duplicate accounts are getting created. Is there any way this can be validated & inform user in Azure AD B2C ?
Thank you. We will examine the experience of duplicate sign ups across Identity providers. Would performing this check by using the email address be sufficient?
BTW, Linking multiple provider accounts to one user is in our roadmap and we’ve already achieved it in preview…
We look forward to your feedback
Daniel W. Grech commented
This is also a deal breaker for us, and we have invested a lot of time and resources into ADB2C. This type of functionality is among things we took for granted when we first decided to invest in ADB2C, but now we are painfully realizing this is not easily, if at all, possible. Can Microsoft please issue an official statement about this long overdue issue, so that we can re-assess our position asap?
It's amazing that this is not taken care of using just basic user flows. I mean how complicated can it be?
John Fabian commented
I agree account linking should of been provided out of the box! Who wants to have multiple accounts when a users logs in with multiple providers?? I've been spending weeks learning how the custom policies files work with minimal resources. Who want's to spend this much time setting up authentication and having to learn thousands of lines of xml?
As a customer who has been using the B2C platform for years, and have implemented most of the custom policies on docs.microsoft.com, I can confidently say that if your business wants to use social login, pick a different IAM provider like Okta that handles this situation properly, even if it is 5x-10x the cost of b2c.
The amount of time and money we have spent between customer service issues, operational issues, issues integrating with vendors, and overall customer confusion and frustration is far more than the additional cost would have been for a competing product that handles social/email logins properly and doesn't duplicate accounts based on provider.
The way that this is architected currently should be an opt in rather than the default, I personally cannot think of a business to consumer scenario where a business would want a federated login like this by default.
We have also tried the account linkage custom policy examples referenced above, not only does it not solve the underlying issue, it actually makes an overly complicated login process that much more complicated.
Until this architectural flaw is actually addressed, the B2C IAM solution is a broken product in the eyes of our business users and customers
Now if your business uses local account/email only to login, B2C works fine.
Sergio Solorzano commented
Hello, is there a suggested way to merge accounts in Azure or an update in Azure managing duplication? Thanks
Vineet Yadav commented
Hey Team, Any updates here, This is a serious miss and problem. I add users to groups or other operations (for audit and others) based on user id. Still i am getting multiple local account if I change IDP.
5 years since last update where you mentioned this was in preview. I wonder how much time it take to be in Preview. Please update here
Bob Maes commented
Also curious for an update / timeline. On the point to start migrating everything to custom policies or reviewing an alternative. Custom policies would only be done to avoid the duplicate account issue with social accounts.
using ief and b2c is my biggest regret of this 2 year project so far. it has held me up at every turn, and right now i am trying to ensure a customer only has a single email address, no matter which idp they use.
William Watterson commented
Any update on this one? Need to stop users signing up with multiple providers with same email
Check this https://docs.microsoft.com/en-us/azure/active-directory-b2c/social-transformations for b2c custom policies
Jesus Santander commented
Any news? I'm starting to regret choosing AD B2C, it feels an incomplete/abandoned product.
Any news, please? It is unbelievable that B2C doesn't give this service.
PAILLASSE SYLVAIN commented
Any news please?
Michiel Cornille commented
Jignesh Patel commented
Any update on this thread? How can we keep Email address unique across all identity provider?
Performing that check based on email would also be sufficient for me.
De-duplicating on email address would be sufficient. A customer using different ways to log in but all accounts having the same email address should be treated as one account with 3 identity providers.
Bartosz Mróz commented
In my opinion it is very important feature for business apps where duplicated email addresses could disturb in business app logic.
Kris Sebesta commented
Another possible solution is to actually allow the user to have multiple accounts with the same email address. When the user logs in you can use the EmailAddress AND UserPrincipleName (or OID) as a compound key and save them in your application database in a table (say, UserAccounts) that is keyed on EmailAddress AND UserPrincipleName (or OID). Then have the UserAccounts table related (FK) to your primary user table (so you will have one User row and one-to-many UserAccounts rows). We are using the following two lines to get each property in the SecurityTokenValidated notification method.
var userEmail = context.AuthenticationTicket.Identity.FindFirst("preferred_username"); // Email address.
var userPrincipleName = context.AuthenticationTicket.Identity.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier);
That way, when the user signs-in, the application looks up the user via their EmailAddress AND UserPrincipleName (or OID) and you can identify the one user row in the Users table. Hope this helps someone. Cheers!
Kris Sebesta commented
How about an update on this Microsoft? IT HAS BEEN THREE YEARS SINCE THE ORIGINAL POST! Top notch service I tell ya! ... pathetic.