samples icon indicating copy to clipboard operation
samples copied to clipboard

Published 20 hours ago verified publisher icon azure-ad-b2c

ROPC policy - B2C to B2C Migration - Copy Authentication methods

Open bgawale opened this issue 2 years ago • 2 comments

Is there any way to copy the Authentication information of the user from legacy tenant to the new tenant while user gets copied to the new tenant using ROPC policy?

This is specifically for a scenario where there are two azure ad b2c tenants e.g. legacy and latest. Steps mentioned here and samples for ropc policy example here https://github.com/azure-ad-b2c/samples/tree/master/policies/B2C2B2CMigration works ok.

Here is a section from the example extension file that shows if there are user attributes e.g. first_name, last_name or display_name to be copied for a user from legacy tenant to the new tenant then these claims can be referred as specified below

<OutputClaims>
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
    <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
    <OutputClaim ClaimTypeReferenceId="isLocalUser" DefaultValue="false" AlwaysUseDefaultValue="true" />
</OutputClaims>

Question:, is there any way if user in legacy tenant has setup the verification phone number in Authentication method (either while setting up MFA or SSPR) then copy that information along with attributes above and set it in the same field for the user in the new tenant? If yes, what is the best way to achieve it?

Refer image below that highlights the information to be copied while copying the user with ROPC policy

image

bgawale avatar Apr 25 '22 12:04 bgawale

The AAD /token endpoint will only send back a certain claim set, so you can’t just add more outputClaims.

You would need to make an additional graph api call from within the custom policy to fetch the users profile information. You can use the users own token to do that, or use client credentials.

Get token example https://github.com/azure-ad-b2c/samples/blob/master/policies/global-architecture-model/policies/emea%20region%20tenant/B2C_1A_SignUp_SignIn.xml#L215

Call graph example https://github.com/azure-ad-b2c/samples/blob/master/policies/global-architecture-model/policies/emea%20region%20tenant/B2C_1A_SignUp_SignIn.xml#L259

JasSuri avatar Apr 27 '22 02:04 JasSuri

We ended up raising a support ticket for this and got official response that the authentication method information from the user profile won't be copied at this point and it is by design since the ROPC does not support this scenario.

Although the functionality does not yet exist, the product team is currently working on a way for admins to manage MFA phone authentication methods via Graph API. For now, the workaround suggested by the team is to resort to users signing up for MFA again on the new tenant

Has anyone ever encountered this which appears to be a quite basic requirement when it comes to migrating users from one tenant to other?

@JasSuri Thanks for sharing these details, any possibility to have a functional sample available based on this?

bgawale avatar May 02 '22 13:05 bgawale