Thanks to your feedback, we have been steadily making identity for customer and partner-facing applications more flexible and faster to configure out of the box. Today we are making it easier for users with different identities to sign in, sign up and collaborate with improvements to self-service sign-up in Azure Active Directory and next-generation B2C user flows. And for B2C app owners and admins, it’s now easier than ever to configure user sessions and password resets and extend the experience with connections to external data and services.
Self-service sign-up with Microsoft Account and Email One-Time Passcode
Since Ignite, we’ve added two new ways for your external users to “bring their own identity” via the self-service sign-up capability in Azure AD. People who use a personal Microsoft account, to sign into Windows, Xbox, Skype, or any other Microsoft 365 application as an individual or small business can now use their existing account to sign up to any app that has been configured to allow these credentials.
Users who do not have a Microsoft account can request that a one-time passcode (OTP) be sent to their email address.
Configure these experiences in the Azure portal by enabling email one-time passcode and Microsoft Account on the All Identity Providers page. You’ll need to also make sure to enable those identity providers in your self-service sign-up user flows.
Built-in user flows for password reset and keep me signed in for B2C apps
Built-in users flows for B2C let app owners enable users to sign-up, sign-in, and reset passwords without requiring a bunch of new application code. Built-in user flows are now even easier to configure with new out of the box controls. Now generally available, app owners can configure user flows with keep me signed in and more flexible password reset settings with just a few clicks.
Enable keep me signed in to extend the session length for your users using a persistent cookie. This keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. Configure password reset settings to allow users to reset their password when they forget, or when prompted to reset an expired password from within the sign in user flow.
API connectors for Azure AD B2C
A few months ago, we shared several examples of how you can use API connectors to customize sign-up flows for your Azure AD applications. This feature that lets you extend your sign-up user flows by connecting to external systems is now generally available for both customer and partner journeys.
We are also making API connectors for user flow extensibility even more powerful by introducing the ability to enrich tokens for your sign-in and sign-up user flows with attributes from legacy identity systems, custom data stores, and other cloud services. This capability will be rolling out in preview for Azure AD B2C in the coming weeks.
We love hearing from you, so share your feedback on these new features through the Azure forum or by tagging @AzureAD on Twitter.
Learn more about Microsoft identity:
Hi @Robin Goldstein ,
It would be nice if you could add Microsoft Accounts to B2C and get domain (not publisher) verification without becoming a Microsoft Partner.
Only way to get rid of “unverified” line in app consent screen seems to be become a Microsoft Partner and get publisher verification, which I don’t need and is inappropriate for my use case. Seems a bit rough if you want to offer Microsoft Accounts with B2C. Guess i’ll have to turn Microsoft Accounts off 🙁
Domain Verification for Microsoft Account App in Azure AD for Azure B2C – Microsoft Tech Community
Question, Domain Verification for Microsoft Account App in Azure AD for Azure B2C, Published success…
@TimLourey Thanks for that feedback and for sharing those links. We want MSA to be a viable account for B2C and guest use cases in AAD. Will take your feedback into account and share it with the team. I can put you in touch with the team directly if you’re interested in sharing your use case with us so we can better understand why unverified doesn’t work for you.
Very interested in speaking to the team directly, as I do think its a use-case that has been overlooked either in B2C or in the AAD Mandate about multi tenant applications requiring verified publishers.
Having previously worked at a partner i’m fairly sure thats not the avenue that you want me to go down.
Happy to discuss with the team 🙂
This would be really useful if the user sign-up flow was actually compatible with MFA. In a scenario where MFA is applied to sign-ins a user is unable to create an account, and, instead gets a message that the user does not exist. This should never happen when I have a user sign-up flow, instead the user should be prompted to create an account. However, it appears that MFA gets in the way by being triggered first, rather than the sign-up flow being triggered first.
Microsoft support say this is “expected behaviour”!
© Microsoft. This article was originally published by Microsoft Azure Active Directory Identity Blog. You can find the original article here.