How to disable storing of claims principal records in Azure B2C?











up vote
0
down vote

favorite












Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?






azure-ad-b2c







share|improve this question






















  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday















up vote
0
down vote

favorite












Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?






azure-ad-b2c







share|improve this question






















  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday













up vote
0
down vote

favorite









up vote
0
down vote

favorite











Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?






azure-ad-b2c







share|improve this question













Azure B2C stores information about every claims principal logged in.
We do not need this information.
Users should be just passed through B2C from IdPs to service provider.
How to disable storing users information in B2C?






azure-ad-b2c




azure-ad-b2c






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked yesterday









Mikael Chudinov

518610




518610












  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday


















  • It's not possible. You need at least the Username/email, phone (for MFA) and password.
    – Marcelo P. Di Iorio - MSFT
    yesterday










  • Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
    – Mikael Chudinov
    yesterday
















It's not possible. You need at least the Username/email, phone (for MFA) and password.
– Marcelo P. Di Iorio - MSFT
yesterday




It's not possible. You need at least the Username/email, phone (for MFA) and password.
– Marcelo P. Di Iorio - MSFT
yesterday












Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
– Mikael Chudinov
yesterday




Why is it not possible? Users are authenticated outside. Why do B2C needs to store anything about users?
– Mikael Chudinov
yesterday












2 Answers
2






active

oldest

votes

















up vote
0
down vote













Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer





















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday




















up vote
0
down vote













Here is the solution I found.
The base policy in SignIn userjourney 



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">

      <Preconditions>

        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

          <Value>objectId</Value>

          <Action>SkipThisOrchestrationStep</Action>

        </Precondition>

      </Preconditions>

      <ClaimsExchanges>

        <ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />

      </ClaimsExchanges>

    </OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer





















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372582%2fhow-to-disable-storing-of-claims-principal-records-in-azure-b2c%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer





















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday

















up vote
0
down vote













Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer





















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday















up vote
0
down vote










up vote
0
down vote









Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.






share|improve this answer












Azure AD B2C does not store anything if you are using an external identity provider. But if you are using Azure AD B2C's idedntity provider, It will store the claims within it.



Hope the information helps.







share|improve this answer












share|improve this answer



share|improve this answer










answered yesterday









Jim

62




62












  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday




















  • Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
    – Mikael Chudinov
    yesterday










  • Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
    – Jim
    yesterday


















Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
– Mikael Chudinov
yesterday




Yes it stores by default. B2C generates users like cpim_{guid}@{idp_domain}
– Mikael Chudinov
yesterday












Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
– Jim
yesterday






Sorry for the last misinformed comment, Just read that it stores the following info: The default scopes used for our supported set of social identity providers are: Facebook: email Google+: email Microsoft account: openid email profile Amazon: profile LinkedIn: r_emailaddress, r_basicprofile You can take it as, Azure AD B2C keeps it as a primary key in any DB and uses it while calling its Graph API for that Primary key. docs.microsoft.com/en-us/azure/active-directory-b2c/… You can refer the info here as well
– Jim
yesterday














up vote
0
down vote













Here is the solution I found.
The base policy in SignIn userjourney 



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">

      <Preconditions>

        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

          <Value>objectId</Value>

          <Action>SkipThisOrchestrationStep</Action>

        </Precondition>

      </Preconditions>

      <ClaimsExchanges>

        <ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />

      </ClaimsExchanges>

    </OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer





















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago















up vote
0
down vote













Here is the solution I found.
The base policy in SignIn userjourney 



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">

      <Preconditions>

        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

          <Value>objectId</Value>

          <Action>SkipThisOrchestrationStep</Action>

        </Precondition>

      </Preconditions>

      <ClaimsExchanges>

        <ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />

      </ClaimsExchanges>

    </OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer





















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago













up vote
0
down vote










up vote
0
down vote









Here is the solution I found.
The base policy in SignIn userjourney 



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">

      <Preconditions>

        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

          <Value>objectId</Value>

          <Action>SkipThisOrchestrationStep</Action>

        </Precondition>

      </Preconditions>

      <ClaimsExchanges>

        <ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />

      </ClaimsExchanges>

    </OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.






share|improve this answer












Here is the solution I found.
The base policy in SignIn userjourney 



<UserJourney Id="SignIn">


contains an orchestration step that calls a technical profile AAD-UserWriteUsingAlternativeSecurityId



    <OrchestrationStep Order="4" Type="ClaimsExchange">

      <Preconditions>

        <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

          <Value>objectId</Value>

          <Action>SkipThisOrchestrationStep</Action>

        </Precondition>

      </Preconditions>

      <ClaimsExchanges>

        <ClaimsExchange Id="AAD-UserWriteUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />

      </ClaimsExchanges>

    </OrchestrationStep>


This step creates user registrations in Azure B2C.



If this user journey is overloaded in an extension policy and this step skipped there then users will not be created.



Another step that checks users registration with id AAD-UserReadUsingAlternativeSecurityId-NoError



TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError"


can also be skipped.



The authentication process with an external identity providers goes on flawlessly without these steps.







share|improve this answer












share|improve this answer



share|improve this answer










answered yesterday









Mikael Chudinov

518610




518610












  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago


















  • If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
    – Chris Padgett
    yesterday










  • I don't know. This question should be answered by Azure B2C team.
    – Mikael Chudinov
    19 hours ago
















If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
– Chris Padgett
yesterday




If you don't create the user object and you are using refresh tokens, can you exchange it for another ID or access token?
– Chris Padgett
yesterday












I don't know. This question should be answered by Azure B2C team.
– Mikael Chudinov
19 hours ago




I don't know. This question should be answered by Azure B2C team.
– Mikael Chudinov
19 hours ago


















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372582%2fhow-to-disable-storing-of-claims-principal-records-in-azure-b2c%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

Image
28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
Read more

ts Property 'filter' does not exist on type '{}'

Image
1 I'm trying to follow Angular Material guide to create a custom filter for autocomplete input text https://material.angular.io/components/autocomplete/overview This is what I have TS import { Component, OnInit } from '@angular/core'; import { TemplateRef } from '@angular/core'; import { FormControl } from "@angular/forms"; import { Observable } from "rxjs"; import { map, startWith, filter } from 'rxjs/operators'; (...) export class AppComponent implements OnInit { title = 'Your Profile'; displayedColumns: string = ['selected', 'name', 'description', 'pnr']; dataSource = ELEMENT_DATA; myControl = new FormControl(); options: any = ['One', 'Two', 'Three']; filteredOptions:
Read more

mat-slide-toggle shouldn't change it's state when I click cancel in confirmation window

Image
1 When I checked the slide toggle it should work as expected. But when I try to uncheck it there is a confirmation window asking if you are sure. When I click cancel in that confirmation window, still the toggle changes to unchecked, which shouldn't happen. It should stay in the same state. Here is my Html and TS Code // html <mat-slide-toggle (change)="change($event)" [checked]="isChecked()" > To-pay </mat-slide-toggle> TS code: // ts change(e) { if(this.checked) { if(confirm("Are you sure")) { console.log("toggle") } else { e.stopPropagation(); console.log("toggle should not change if I click the cancel button") }
Read more