The goal of this tutorial is to show how to simply achieve unique emails across multiple identity providers when using Azure Active Directory B2C behind your application. And yes, I'm still struggling to understand why I need to write code to do that, instead of simply going to the Azure portal and click a checkbox, somewhere under the settings page.
Anyway, every developer loves writing code, so let's move on :)
To achieve our goal, we will write some .NET code that uses Microsoft.Graph API to access the list of users present in our AD B2C. The API endpoint of interest for this tutorial is documented here.
Note: This tutorial doesn't cover in detail how to configure the Active Directory and how to create a Service Principal, because this is widely described in many articles on the web.
Basic knowledge of Microsoft Azure portal.
Active Directory B2C created, with at least two identity providers configured (in our example Google and the standard "Local account")
- A Service Principal created under the App registrations menu in the AD B2C resource, as well as a client secreted generated for the app.
- An User flow of type Sign Up configured in the AD B2C.
VS Code with the Azure Functions and C# extensions installed.
An Azure Subscription where you can deploy an Azure Function.
Azure Functions Core Tools 3.X version installed, if you want to run locally.
Clone the GitHub repository which contains the code that will run in the Azure Function:
git clone https://github.com/Luperi/azure-active-directory-b2c-unique-email-check.git
Open the cloned folder with VS Code.
Copy and paste the content of the file local.settings.json.template into a new file called local.settings.json.
Fill in the settings ApplicationId, ClientSecret and TenantId according to the App registration created on your AD B2C resource.
Now in VS Code click on Run -> Start Debugging: at some point, you should see in the output console something like this. If so, all is working properly.
CheckUserExistence: [POST] http://localhost:7071/api/CheckUserExistence
Now you are ready for the deployment: in VS Code, under the Azure Functions extension, select the "CheckUserExistence" function under Local Project and then click the "Deploy to Function app" button. Now you can follow the steps shown by VS Code and complete the deployment.
Once you are done, you should see the remote Azure Function link in the output console.
Now navigate to the AD B2C resource on the Azure portal, go to the "API connectors" under the "Manage" settings and create a new API connector. Copy and paste the link from the VS Code output console into the "Endpoint URL" field.
Note: for now you can put a dummy username and password combination, because it is ignored by the code.
- To conclude, go to the settings page of your signup user flow: in the "API connectors" configurations, bind the just created API selecting the "Before creating the user" step.
The configuration is completed. Now you need to test the end-to-end flow: assuming you have an account register with Google, try registering with the same email with the standard flow, first. After that, if you will try to register with Google, you will not be able to proceed.
Let me know in the comments if you found a better approach to achieve the same goal, otherwise I hope you found this tutorial helpful.
Thanks for reading :)