Reputation: 55
Azure B2C prevent email address change after Home Realm Discovery
I have managed to get the modern Home Realm Discovery (HRD) policy working with our directory and several federated IdPs. However, there is a loophole that I would like to be able to close. If a non-federated domain email is used, the user is then forwarded on to Local Account login with username (i.e., email) and password, but the email value can still be changed, including to one using a federated domain. Also, the Forgot Password dialog does not seem to pre-populate the email address so it can, again, be changed to any email address. Finally, even after verifying the email, there is the "Change Email" option.
I would like to be able to either
- Lock in the entered email after HRD "failure" until the user completes or cancels the login,
- Detect any changes to an email address in a known federated customer domain and send them back into the federated flow or...
- Detect such changes and just error out.
Any ideas how to make this work? I did a little experimenting with the readOnlyEmail examples I saw but either something complained that it did not exist (like ParseDomain) or it was still rendered as a mutable field rather than read-only.
-GBS
Upvotes: 0
Views: 487
Answers (1)
Reputation: 5165
• Yes, you can prevent the email id to change even after verification of email in ‘home realm discovery’ step by hiding the email from change or making it grey after entering it for verification email step. You can do this by adding the CSS entry below to your HRD enabled HTML page by customizing your HTML page template.
‘ <style type="text/css">
.changeClaims
{
visibility: hidden;
}
</style> ‘
To customize your HRD enabled sign in and sign-up HTML page with the above entry, please refer to the documentation link below for detailed information. From the below link, download the default HTML page and modify it with the above entry in appropriate location, then save it in your repository from where you access the HTML files and modify the custom policy accordingly, i.e., with the ‘api.signin or signup’ content definition building blocks and save it.
By following the steps in the above link, you will be able to customize your HRD enabled sign in and sign-up page with also greying out the change email option. Also, to complete the prerequisites for it and referring the options regarding changing the email option, please refer the below link: -
Upvotes: 1
Related Questions
- Azure B2C passwordless sign up with only email in custom Policy
- Sample username-signup-or-signin policy prompting for email address
- How to stop Azure AD B2C signin flow to allow users to change email
- Implementing AD B2C custom policy with separation of email entering and sign-in sign-up steps
- prevent email change in azure b2c custom policy
- Prevent Azure B2C users from logging in with an email address when the username login flow is enabled
- Azure B2C Custom Policy - from email decide claims exchange
- Azure AD B2C - "emails" claim in custom policy
- Email Address Auto Populate not working in Azure B2C Custom Policy and disable change email option
- Azure AD B2C Sign-in Custom Policy remember user