Authenticating with username and PIN in Azure AD B2C

Normally, you would login with an email address but you can also login with a username which is essentially any string of characters e.g. “123456”.

In built in policies, you can configure this on the identity provider but note that this is tenant wide.

You can do it per application with custom policies.

Changing to username is defined by the metadata:

<Item Key="LocalAccountType">Username</Item>                             <Item Key="LocalAccountProfile">true</Item>


<Item Key="setting.operatingMode">Username</Item>

The next part of the requirement was to login with a numeric PIN rather than a password e.g. any group of numbers with minimum of 4 digits and maximum of 6 digits.

Configuring complexity requirements for passwords using custom policies is described here.

The changes to the above policy as described below.

The predicates are:

<ClaimType Id="newPassword">
<PredicateValidationReference Id="CustomPassword"/>
<ClaimType Id="reenterPassword">
<PredicateValidationReference Id="CustomPassword"/>
<Predicate Id="LengthRange" Method="IsLengthRange">
<UserHelpText>The password must be between 4 and 6 numeric characters.</UserHelpText>
<Parameter Id="Minimum">4</Parameter>
<Parameter Id="Maximum">6</Parameter>
<Predicate Id="Number" Method="IncludesCharacters">
<Parameter Id="CharacterSet">0-9</Parameter>
<PredicateValidation Id="CustomPassword">
<PredicateGroup Id="LengthGroup">
<PredicateReferences MatchAtLeast="1">
<PredicateReference Id="LengthRange"/>
<PredicateGroup Id="CharacterClasses">
<UserHelpText>The password must be 4 numeric characters:</UserHelpText>
<PredicateReferences MatchAtLeast="1">
<PredicateReference Id="Number"/>

We need to remove the requirement for strong passwords.

The “SignUpOrSignInWithUsername” user journey calls “LocalAccountSignUpWithLogonName”. That calls “AAD-UserWriteUsingLogonName” that requires the following change.

<PersistedClaim ClaimTypeReferenceId="passwordPolicies" DefaultValue="DisablePasswordExpiration, DisableStrongPassword"/>

The sample does not ask for display name when you sign up.

This results in:

To get around this, add “displayName”.

In “AAD-UserWriteUsingLogonName”:

<!-- Optional claims. -->
<PersistedClaim ClaimTypeReferenceId="displayName"/>
<PersistedClaim ClaimTypeReferenceId="givenName"/>
<PersistedClaim ClaimTypeReferenceId="surname"/>

In “LocalAccountSignUpWithLogonName”:

<OutputClaim ClaimTypeReferenceId="displayName" Required="true"/>
<OutputClaim ClaimTypeReferenceId="givenName" Required="true"/>
<OutputClaim ClaimTypeReferenceId="surname" Required="true"/>

All good!




“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Recommended from Medium

Ulog: How I Earned More Than 300k USD Online & Lost Some Of It? — Surpassinggoogle

Comprehensive Understanding of Transaction Isolation Levels

CS371p Spring 2022: Santi Dasari

Kubernetes ReplicationControllers, Deployments and Upgrade existing ReplicationController to…

Deploying Anti-DDoS, CDN, and WAF on Alibaba Cloud

Count the islands— Hacker Rank ( Java, C# …)

7 Must-Have Skills For a Top Automation Tester

How To Build A Dynamic Menu In ExpressionEngine?

How To Build A Dynamic Menu In ExpressionEngine?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rory Braybrook

Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: Presentations:

More from Medium

Issues with an Azure AD B2C self-asserted page calling a ValidationTechnicalProfile

Puzzling image

Calling 3rd party API from Azure DevOps dashboard widget

Blazor Server Project #11: Migrate to ASP.NET Core 6.0

Pass Through Data Over IServiceProvider.CreateScope()