1

I'm using Azure AD B2C and we've been presented with a preference/requirement from our product team to allow users to sign up/in using either an email address OR a mobile phone number as the user id.

Currently the built in flows only allow email or username as the user id. There's strong evidence to suggest that we could create a custom policy to allow for mobile phone number, but what I need is the ability to sign up/in using either email address OR mobile phone number.

It seems like I'm not the only one requesting this functionality. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334314-phone-number-sign-up?page=2&per_page=20

Just wondering if there's a way to achieve this using custom policies, and if so; any demos/links that explain how to do this...

[Edit] User journeys

Web app sign-up:

  1. User enters email or mobile
  2. MFA to email or mobile (whichever was entered)
  3. Authenticate code sent to user
  4. Set password.
  5. IDP done
  6. Back in app, might capture email or mobile (whichever was not captured in IDP) and update B2C via MS Graph API.

Native mobile app sign-up:

  1. User enters mobile
  2. MFA to mobile
  3. Authenticate code
  4. Set password.
  5. IDP done
  6. Back in app, might capture email and update B2C via MS Graph API

Web app sign-in:

  • Sign in using either (mobile or email) and password.

Native mobile app sign-up:

  • Sign in using mobile and password.
  • Use refresh token most of the time instead of explicit sign-in.
Ryan.Bartsch
  • 3,698
  • 1
  • 26
  • 52
  • Can you update the question to clarify the following: do you need phone no. with password (similar to email)? Is it ok to show email sign in by default on the sign-up/sign-in page and have a button (similar to social IDPs) that says "sign-in with phone", etc.? – Omer Iqbal Feb 10 '19 at 08:11
  • Thanks Omer. I've updated the initial question with the requested user journeys. – Ryan.Bartsch Feb 11 '19 at 04:19
  • Hi @Ryan.Bartsch I might be able to help with a sample policy. But first: Might you also consider an alternative flow that allows a new user to enter email *and* phone but they only verify one on sign-up and then verify the other sign-in name if they use it later on sign-in? This simplifies it insofar as both the sign-in names are captured on sign-up both one can be independently verified of another. – Chris Padgett Feb 15 '19 at 04:35
  • @ChrisPadgett - thanks for the response. I've had a chat to the business/product and they've refined the user journeys as follows. Sign-up is mobile only (+2FA) and password for all channels. Email can be set later on via back channel (e.g. MS Graph API) and verified independently. Sign-in is (mobile or email) and password. Obviously if there's no email assigned the user would only be able to sign in using their mobile. If you've got some sample policies that are similar it would be greatly appreciated :) – Ryan.Bartsch Feb 18 '19 at 01:34
  • Hi @Ryan.Bartsch I'm happy to share a sample policy if you give me a day or two to do so. – Chris Padgett Feb 19 '19 at 10:05
  • 1
    Hi @Ryan.Bartsch I've added the below answer with links to custom policy samples. – Chris Padgett Feb 21 '19 at 21:17

1 Answers1

2

You are able to implement this with two custom policies:

  1. A sign-up or sign-in policy that allows sign-up for a local account using a phone number and sign-in for a local account using an e-mail address or a phone number.
  2. A linking policy that allows linking of an e-mail address to a local account that has been registered using a phone number.

I've published the following custom policy samples to this GitHub repository:

  • phone_sign_up_any_sign_in: Sign-up for a local account using a phone number. The end user is prompted for verification of the phone number. An e-mail address can be linked to the local account using the email_linking policy. Sign-in for a local account using an e-mail address or a phone number. If the e-mail address hasn't been verified, then the end user is prompted for verification of the e-mail address. If the phone number hasn't been verified, then the end user is prompted for verification of the phone number.
  • email_linking: Linking of an e-mail address to a local account that has been registered using a phone number. The end user is prompted for verification of the e-mail address.
Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • Thanks @ChrisPadgett, this is a great help - much appreciated! Just going through the instructions/README and it's not entirely clear what iefExtensionApplication.id and iefExtensionApplication.clientId should be set to default.json. I assume this is the B2C Application Id. Please confirm... also might be worth updating the README for others... – Ryan.Bartsch Feb 22 '19 at 04:08
  • Hi @Ryan.Bartsch iefExtensionApplication.id and iefExtensionApplication.clientId refer to the object and application identifiers (respectively) of the b2c-extensions-app application that is registered in your B2C tenant. I'll update the README file for others. – Chris Padgett Feb 22 '19 at 05:07
  • Hi Chris, I followed this link to get things working: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-create-custom-attributes-profile-edit-custom#create-a-new-application-to-store-the-extension-properties. Still worth updating the docs tho :) – Ryan.Bartsch Feb 22 '19 at 05:15
  • Thanks for all the help Chris, I've marked this as the answer. Couple things I'll still need to do include; a) split this out into separate sign up and sign in flows, b) have verify code button after entering mobile 2FA code (similar to email linking flow), c) accept mobile phone format with/without country code (i.e. +61), and d) custom styling; should be good to do these things myself, but I'll let you know if I run into any difficulties. Once again, thanks for the help! – Ryan.Bartsch Feb 22 '19 at 05:31
  • 1
    No problems, I'm happy to improve the policy samples as necessary, but it might be best to manage items like those through issues on the GitHub repository. – Chris Padgett Feb 22 '19 at 05:40
  • Hi @ChrisPadgett currently I'm working on phone sign-up and sign-in with custom policies in Azure AD B2C. The whole flow is working fine. But I want to remove that email address verification after phone number sign up. How to do that? – Roshan Maddumage Sep 26 '20 at 11:24