Forum Discussion
AD B2C - Custom Policies - Evaluate custom extension
Hi!
I am using Custom Policies for our AD B2C Application.
I want to use this custom extension on my users:
AlwaysMFA: boolean
The extension is set on some users, but not all. I have a trouble of writing the logic since the profile keeps executing even for users what does not have the attribute at all.
This is the logic:
<OrchestrationStep Order="10" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>extension_AlwaysMFA</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="PhoneFactor-Verify-Blacklisted" TechnicalProfileReferenceId="PhoneFactor-InputOrVerify" />
</ClaimsExchanges>
</OrchestrationStep>
How should I write it to handle both the true, false and "notset"? The documentation does not say anything about this.
4 Replies
Hi,
Thanks for your clarification.
Remember:
- AD B2C Custom Policy works as a declarative language, so you cannot think of it as imperative language. For example, it works like SQL instruction, you cannot "explain" how to execute a SELECT. Helps a lot consider it as a DFA that reads a string.
- All the boolean custom claims have 3 values: not set (as NULL), true, or false. Why? Those are custom and the missing value in the existing records cannot compromise the working functionality. This rule is applied to the other types.
- More than a "ClaimEquals" you should use the condition "ClaimExists" but you need to modify your TechnicalProfile to return it, and in the output claim it should be marked as optional (not specifying required="true").
- Coming to your case you need to concatenate 2 preconditions, once for the existence and one for the value checks ( https://learn.microsoft.com/en-us/azure/active-directory-b2c/userjourneys#precondition ).
In case you need to force the setting of the MFA at the first or next login, I suggest you force the flow inside another SubJourney to edit the user profile and set it.
Thank you for the responses, but general links to documentation is not what I needed, and the solution seems not to be included there.
I need to understand (in detail because the documentation only get halfway) on how to evauate boolean values.
The issue is that the snippet below are execuyting even for users that do NOT have the attribute at all. The boolean can be either not set, false or true. I only want to run my techincal profile when the atttribute exists and is set to true.<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>extension_AlwaysMFA</Value>
<Value>True</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
In languages like Typescript for example i would simply type:
if (extension_AlwaysMFA) triggerMfa();
But how do I evaluate the boolean using custom policies if it can be unset as well?Probably this link can clarify your context and answer your question: https://learn.microsoft.com/en-us/answers/questions/2017886/mfa-enforcement-oct-15-2024-azure-b2c
I cannot see the rest of the user journey from your snippet. So, assuming that the Social Account is enabled, the MFA can be hosted by the Social Identity Provider (or other OIDC party), then can be logically desume that the handling of the value for the custom claim "AlwaysMFA" is strictly related to your user flows (in the meaning of consideration of all the flows that a user can perform in your Sign-Up/In).
Example: if you have the Google sign-in enabled, then if the user has the MFA set over there your enforcement can cause a bad UX experience, otherwise not.
As suggestion of mine, keep the management of this value in the "Edit Profile" because only the user knows how many MFA is enabled over his/her/its accounts.
