Azure AD B2C - sign up/in using email OR mobile

1
votes

I'm using Azure AD B2C and we've been presented with a preference/requirement from our product team to allow users to sign up/in using either an email address OR a mobile phone number as the user id.

Currently the built in flows only allow email or username as the user id. There's strong evidence to suggest that we could create a custom policy to allow for mobile phone number, but what I need is the ability to sign up/in using either email address OR mobile phone number.

It seems like I'm not the only one requesting this functionality. https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334314-phone-number-sign-up?page=2&per_page=20

Just wondering if there's a way to achieve this using custom policies, and if so; any demos/links that explain how to do this...

[Edit] User journeys

Web app sign-up:

  1. User enters email or mobile
  2. MFA to email or mobile (whichever was entered)
  3. Authenticate code sent to user
  4. Set password.
  5. IDP done
  6. Back in app, might capture email or mobile (whichever was not captured in IDP) and update B2C via MS Graph API.

Native mobile app sign-up:

  1. User enters mobile
  2. MFA to mobile
  3. Authenticate code
  4. Set password.
  5. IDP done
  6. Back in app, might capture email and update B2C via MS Graph API

Web app sign-in:

  • Sign in using either (mobile or email) and password.

Native mobile app sign-up:

  • Sign in using mobile and password.
  • Use refresh token most of the time instead of explicit sign-in.
1
azureazure-ad-b2c
Can you update the question to clarify the following: do you need phone no. with password (similar to email)? Is it ok to show email sign in by default on the sign-up/sign-in page and have a button (similar to social IDPs) that says "sign-in with phone", etc.?Omer Iqbal
Thanks Omer. I've updated the initial question with the requested user journeys.Ryan.Bartsch
Hi @Ryan.Bartsch I might be able to help with a sample policy. But first: Might you also consider an alternative flow that allows a new user to enter email and phone but they only verify one on sign-up and then verify the other sign-in name if they use it later on sign-in? This simplifies it insofar as both the sign-in names are captured on sign-up both one can be independently verified of another.Chris Padgett
@ChrisPadgett - thanks for the response. I've had a chat to the business/product and they've refined the user journeys as follows. Sign-up is mobile only (+2FA) and password for all channels. Email can be set later on via back channel (e.g. MS Graph API) and verified independently. Sign-in is (mobile or email) and password. Obviously if there's no email assigned the user would only be able to sign in using their mobile. If you've got some sample policies that are similar it would be greatly appreciated :)Ryan.Bartsch
Hi @Ryan.Bartsch I've added the below answer with links to custom policy samples.Chris Padgett

1 Answers

1
votes

You are able to implement this with two custom policies:

  1. A sign-up or sign-in policy that allows sign-up for a local account using a phone number and sign-in for a local account using an e-mail address or a phone number.
  2. A linking policy that allows linking of an e-mail address to a local account that has been registered using a phone number.

I've published the following custom policy samples to this GitHub repository:

  • phone_sign_up_any_sign_in: Sign-up for a local account using a phone number. The end user is prompted for verification of the phone number. An e-mail address can be linked to the local account using the email_linking policy. Sign-in for a local account using an e-mail address or a phone number. If the e-mail address hasn't been verified, then the end user is prompted for verification of the e-mail address. If the phone number hasn't been verified, then the end user is prompted for verification of the phone number.
  • email_linking: Linking of an e-mail address to a local account that has been registered using a phone number. The end user is prompted for verification of the e-mail address.