20

Can I disable sign-up in Azure AD B2C? In other words, I don't want customers to sign up accounts by themselves, I want it to be done only by admin in Azure. Thanks.

martial
  • 3,773
  • 8
  • 33
  • 43

2 Answers2

29

Built-in Policies

Yes, only define a Sign-in policy.

Do not define a Sign-up or Sign-in policy nor a Sign-up policy.

Custom Policies

The problem with a sign-in only policy is you only have basic UI customization options. You do not get the full set of features as described here.

With custom policies, you can define a Sign-Up/Sign-In policy and then disable the Sign-Up portion. This allows for the same level if UI customization as described here.

  1. Hide the Sign-Up link via CSS
  2. Remove <Item Key="SignUpTarget">SignUpWithLogonUsernameExchange</Item> from your TechnicalProfile
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Username-NoSignUp">
    <DisplayName>Local Account Signin</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <!-- Want to disable sign-up on unified policy -->
        <!-- <Item Key="SignUpTarget">SignUpWithLogonUsernameExchange</Item> -->
        <Item Key="setting.operatingMode">Username</Item>
        <Item Key="ContentDefinitionReferenceId">api.selfasserted-ext-local</Item>
        <Item Key="language.button_continue">Login</Item>
    </Metadata>
    ...
</TechnicalProfile>
spottedmahn
  • 14,823
  • 13
  • 108
  • 178
  • 1
    Is it safe to just 'hide' a link via CSS? Wouldn't it be possible to display it with some tinkering in console view? – Cedric Feb 25 '19 at 14:09
  • No, it wouldn’t be safe by itself which is why the custom policy change is needed. @Cedric – spottedmahn Feb 25 '19 at 14:29
  • 26
    AAD B2C is an unmitigated disaster... I can't believe the number of hacky workarounds one has to perform just to get simple, basic functionality working. It's really quite shocking. – JTW Apr 06 '19 at 21:22
  • 3
    Years later... There's a "SignIn (Standard)" policy that works as stated in this answer (without UI customization) and a "SignIn (Recommended)" policy that does have same UI customization as SignUpIn. – AntonioOtero Jul 30 '20 at 20:31
27

In Built-in policies (aka User Flows) you can choose a sign-in only policy.

In Custom Policies you can use the metadata properties shown in the snippet below, without defining any custom css.

<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
  <DisplayName>Local Account Signin</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <!-- Clear SignUpTarget for security reasons -->
    <Item Key="SignUpTarget"></Item>
    <Item Key="setting.operatingMode">Email</Item>
    <Item Key="ContentDefinitionReferenceId">api.selfasserted</Item>
    <!-- Remove signup and forgot password links -->
    <Item Key="setting.showSignupLink">false</Item>
    <Item Key="setting.forgotPasswordLinkLocation">None</Item>
  </Metadata>
  ...
</TechnicalProfile>
m4tte0
  • 448
  • 5
  • 9