Only allow certain users to sign up using app which has Azure AD B2C for authorization

Question

We are launching an app but only people we want should be allowed to sign up. Is there a way to control who can sign up and if yes how? We are using Azure AD B2C for sign up and sign in. Please let me know if you need more information.

Answer 1

Azure AD B2C does not have out-of-the-box support for restricting sign-up via built-in policies, so you'll have to use either of these two options:

1. Use Custom Policies to inject an extra step in the authentication flow. You would use the approach outlined in the "Integrate REST API claims exchanges in your Azure AD B2C user journeys as validation on user input" documentation to call out a REST API you created where you return true/false indicating whether the user should be allowed to sign up or not. This API would need to be something you implement yourself.

2. Do this entirely from your application. Azure AD B2C would allow all users to sign up. You would create a custom user attribute indicating with a flag isAllowed or something like that. Lastly, you'd configure your sign up or unified sign in / sign up policy's application claims to send the 'User is new' claim. With this configuration in place, your application would check for the newUser claim and if that's true, perform the extra check to make sure the user is allowed in. If so, let the through and update isAllowed to true, otherwise set isAllowed to false and prevent them from using the application. Alternatively, you can not use isAllowed and simply delete users after the newUser check if they are not allowed in the application. Either approach, updating isAllowed or deleting the user, would require you to have your backend use the Azure AD Graph API.

You should also request first-class support for this feature in the Azure AD B2C feedback forum