How to disable storing of claims principal records in Azure B2C?











up vote
0
down vote

favorite












Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?










share|improve this question






















  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday















up vote
0
down vote

favorite












Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?










share|improve this question






















  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday













up vote
0
down vote

favorite









up vote
0
down vote

favorite











Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?










share|improve this question













Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?







azure-ad-b2c






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked yesterday









Mikael Chudinov

518610




518610












  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday


















  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday
















It's not possible. You need at least the Username/email, phone (for MFA) and password.
– Marcelo P. Di Iorio - MSFT
yesterday




It's not possible. You need at least the Username/email, phone (for MFA) and password.
– Marcelo P. Di Iorio - MSFT
yesterday












Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
– Mikael Chudinov
yesterday




Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
– Mikael Chudinov
yesterday












2 Answers
2






active

oldest

votes

















up vote
0
down vote













Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer





















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday




















up vote
0
down vote













Here is the solution I found.
The base policy in SignIn userjourney



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer





















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372582%2fhow-to-disable-storing-of-claims-principal-records-in-azure-b2c%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer





















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday

















up vote
0
down vote













Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer





















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday















up vote
0
down vote










up vote
0
down vote









Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer












Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.







share|improve this answer












share|improve this answer



share|improve this answer










answered yesterday









Jim

62




62












  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday




















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday


















Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
– Mikael Chudinov
yesterday




Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
– Mikael Chudinov
yesterday












Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
– Jim
yesterday






Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
– Jim
yesterday














up vote
0
down vote













Here is the solution I found.
The base policy in SignIn userjourney



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer





















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago















up vote
0
down vote













Here is the solution I found.
The base policy in SignIn userjourney



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer





















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago













up vote
0
down vote










up vote
0
down vote









Here is the solution I found.
The base policy in SignIn userjourney



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer












Here is the solution I found.
The base policy in SignIn userjourney



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">
<Preconditions>
<Precondition Type="ClaimsExist" ExecuteActionsIf="true">
<Value>objectId</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>
</Preconditions>
<ClaimsExchanges>
<ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
</ClaimsExchanges>
</OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.







share|improve this answer












share|improve this answer



share|improve this answer










answered yesterday









Mikael Chudinov

518610




518610












  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago


















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago
















If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
– Chris Padgett
yesterday




If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
– Chris Padgett
yesterday












I don't know. This question should be answered by Azure B2C team.
– Mikael Chudinov
19 hours ago




I don't know. This question should be answered by Azure B2C team.
– Mikael Chudinov
19 hours ago


















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372582%2fhow-to-disable-storing-of-claims-principal-records-in-azure-b2c%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

'app-layout' is not a known element: how to share Component with different Modules

android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

WPF add header to Image with URL pettitions [duplicate]