如何阻止用户登录，直到他们在 Azure B2C 中获得授权

Question

My Angular 8 (.net core back end api) app is protected by Azure B2C using MSAL library. The user does a sign up and I use Graph API to create this user in B2C and I have a custom attribute isActive which I set to False . Application admin logs in the app and grants access and the created user can access the app. I want to stop the user to login until they are authorized and allowed access by the admin.

My question is how I can block the users from sign in until isActive is set to true? Currently I'm doing it like below in my app component

  subscribeToBroadCastServiceOnLogin() {
this.broadcastService.subscribe("msal:loginSuccess", (success) => {     

  if (
    success.idToken.claims[
      "extension_3datttttxxxxxxxxxxxxxxxxxxxxxxxxx_isActive"
    ] !== true
  ) {
    window.alert("Your login is awaiting authorization from site Admin");

    return this.authService.logout();
  }

The problem with this approach is that the user is successfully signed in already and I m logging them out based on the claim. I m wondering if there is a better approach to meet this requirement?

Answer 1

your options are somewhat limited in b2c, in normal azure ad, you would have many options, for example, limiting sign in to the enterprise application pane, or disabling user sign in for that user altogether.

However in b2c, you do not have option 1, and option 2 is only for local accounts. that means any accounts created with social emails.. gmail,etc, you cannot disable sign in.

So other than what you're doing currently, the only other solution would be to build an invitation flow or equivalent, which basically prevents signup until admin approves. so you could build something that would call an invitation signup process like here: https://github.com/azure-ad-b2c/samples/tree/master/policies/invite that way the user won't be created until you send the invite.