We have a Sign-in Custom Policy setup in Azure AD B2C that customers use to log in our application. In the Standard B2C policies, users are rememberd and a menu is provided with the list of email addresses that have logged in from a particular machine (and the option to forget them), as in the following screenshot:
Our Custom Sign-in Policy works but users have to re-enter their email address every time from their machines. How can we achieve the same behaviour with a Custom Policy?
Here is the technical profile:
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<DisplayName>Local Account Signin</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>
<Item Key="setting.operatingMode">Email</Item>
<Item Key="setting.showSignupLink">False</Item>
<Item Key="setting.showContinueButton">True</Item>
<Item Key="setting.showCancelButton">True</Item>
<Item Key="EnforceEmailVerification">False</Item>
<Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
<OutputClaim ClaimTypeReferenceId="password" Required="true" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<ValidationTechnicalProfiles>
<ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
EDIT:
Having played around with the new "User Flows" which are currently in the Preview phase in Azure AD B2C, it seems that there are two different versions of the Sign in user journey that are offered:
- Sign in: which does not allow for UI customisation (aside from the "Company Branding" feature) and is consistent with the behaviour that I report in the screenshot above.
- Sign in v2: Which allows for UI customisation with custom cshtml pages and is consistent with the behaviour I observe when using custom policies. This type of Sign in user flow is not visible or accessible from the existing built-in policies at the moment.
So it seems that the Sign in v2 is the version that is used within custom policies for the sign in user journeys, as it is the version that allows for UI customisation.
SignInV1 vs SignInV2
Built-in policies have been rebranded as User flows. The new ui of Azure Ad B2C is moving into GA. It has some v2 user flows which are in preview currently and will be moved to GA in due course of time.
There is a difference in the way SignInv1 and SignInv2 user flows work. SignIn v1 'interactively' federates with default sign-in experience of Azure Active Directory (AAD), which has "Keep me sign in" (KMSI) feature. SignInV2 has additinal feature of UX customizability. To provide that B2C 'non-interactively' federates with AAD.
As a result of this customizability, there is currently a feature gap between signinv1 and v2 - KMSI - Forced password reset.
There are plans to work on these features.
Custom policies
This page will tell how to enable KMSI for custom policies. https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-kmsi-custom