Conditional Access Policies allow SignUp

[claasd]

The conditional access flow with blocking allows to sign up and even generates a valid token during signUup instead of blocking the user or blocking the whole signUp process.

I ran the sample using the tor browser, and I was able to sing up, the sign up process even gave me a valid token after signing up.

When I sing in using the credentials provided during signUp, the sign-in is blocked as expected.

We have the same behavior using our own B2C, but we want to block risky logins already during signUp, not when they sign in a second time, as most fraudulent activity is done directly after sign-up.

[claasd]

more info: the WhatIf policy does not even log the expected fields:

{
  "alg": "RS256",
  "kid": "KW8bBJOmaNXvJh2YZGNtFu9QOa5UMeWLgjByHawo4XY",
  "typ": "JWT"
}.{
  "ver": "1.0",
  "iss": "https://b2clivedemo.b2clogin.com/3a29c594-12be-476f-bb6f-0a787b348639/v2.0/",
  "sub": "2534ef73-7e7b-401a-9d1d-787661462d14",
  "aud": "cfaf887b-a9db-4b44-ac47-5efff4e2902c",
  "exp": 1708616547,
  "acr": "b2c_1a_demo_signup_signin_conditionalaccess_whatif",
  "nonce": "defaultNonce",
  "iat": 1708612947,
  "auth_time": 1708612947,
  "email": "<REDACTED>",
  "IP-Address": "<REDACTED>",
  "trustFrameworkPolicy": "B2C_1A_Demo_SignUp_SignIn_ConditionalAccess_WhatIf",
  "tid": "3a29c594-12be-476f-bb6f-0a787b348639",
  "nbf": 1708612947
}```

[JasSuri]

Conditional access is applied post credential validation, it doesn’t get invoked at sign up.

For prevention of sign up abuse, you’d be looking at fraud detection capabilities, eg dynamics fraud protection integration with AAD B2C custom policies.