Configure a custom password reset policy with a read-only Email field in Azure AD B2C

Question

How to convert or manipulate a regular email field that accepts user email id for verification to a readonlyEmail field that prepopulates a user email id when performing a password reset.

I have configured a custom password reset policy that passes in an id_token_hint and login_hint to the read-only claim which populates the read-only Email field with users email id. However, 2 email fields are seen, the first which is the rea-donly Email field and the second is the regular email field that accepts user email id.

I commented out the email claim in the LocalAccountReadPasswordUsingObjectId of the trustframeworkbase policy. This removed the second email field, but I was unable to perform the password reset as I believe the email field is required for password reset.

Is it possible to manipulate the email field to a read-only Email for the password reset? If so. How could I achieve a password reset policy with read-only Email without having two email fields?

[readonlyEmail claim type][1]

Claim transformation

Technical profile

Run Now Output

Password reset flow [1]: https://i.stack.imgur.com/Z8sMQ.png

Answer 1

Assuming that your CpimIssuerTechnicalProfileReferenceId technical profile reading the email address from the token as email.

create a claim type as follows:

  <ClaimType Id="userId">
    <DisplayName>Email Address</DisplayName>
    <DataType>string</DataType>
    <UserInputType>Readonly</UserInputType>
  </ClaimType>

Add a claim transformation:

  <ClaimsTransformation Id="CreateReadonlyEmailClaim" TransformationMethod="FormatStringClaim">
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="inputClaim"/>
    </InputClaims>
    <InputParameters>
        <InputParameter Id="stringFormat" DataType="string" Value="{0}"/>
    </InputParameters>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="userId" TransformationClaimType="outputClaim"/>
    </OutputClaims>
</ClaimsTransformation>

Change your LocalAccountDiscoveryUsingEmailAddress technical profile as follows:

<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">
      <DisplayName>Reset password using email address</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <Metadata>
        <Item Key="IpAddressClaimReferenceId">IpAddress</Item>
        <Item Key="ContentDefinitionReferenceId">api.localaccountpasswordreset</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
      </CryptographicKeys>
      <IncludeInSso>false</IncludeInSso>
      <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="CreateReadonlyEmailClaim" />
      </InputClaimsTransformations>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="userId"/>
      </InputClaims>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="userId" PartnerClaimType="Verified.Email" Required="true" />
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" />

      </OutputClaims>
      <ValidationTechnicalProfiles>
        <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />
      </ValidationTechnicalProfiles>
    </TechnicalProfile>

All done!

Note: Make necessary changes to the above pieces to match your custom policy.