Fixing one of the Azure AD B2C samples that blocks a disabled federated user.

Image showing “No entry”.

This was inspired by a stackoverflow question.

It refers to a B2C sample custom policy.

Looking at it, I felt like Alice in Wonderland: “Curiouser and curiouser!’ cried Alice”.

This is an old sample. It still uses “socialIdpUserId”.

<! — The claim socialIdpUserId has been renamed to issuerUserId →

I renamed this in the base file to “issuerUserId”.

Basically, the sample allows you to stop disabled federated users from logging in. Users are disabled if the attribute “extension_accountEnabled” is set to “false”.

So when you run the sample on a disabled federated / social user, you see:

Image showing textbox marked “hide me”.

I wondered why you would present a screen that asked you to hide it with a “hide me” hint? This is essentially a “dead-end” screen. In that case, you wouldn’t display the “Continue” or “Cancel” buttons?

I would have used the “paragraph” element to achieve this. Maybe it wasn’t available when the sample was created?

I wrote that up a while back.

My version is in this gist.

If disabled, the user sees:

Image showing “This account is locked”.

Note that you cannot proceed beyond this screen.

For testing, I used this sample to update the user.

The json file looks like:

"extension_51fc...e4e_accountEnabled": "false"

and the command is:

b2c update-user 38e...c06 update-user.json

All good!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rory Braybrook

Rory Braybrook


NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: Presentations: