question

AbhayChandramouli-2076 avatar image
0 Votes"
AbhayChandramouli-2076 asked amanpreetsingh-msft commented

Azure AD B2C | Can we get last login of user in azure ad b2c accesstoken in claims ?

I want last_login log for a user inside the access token when we login to az ad b2c. Is that possible ?


Thanks




@amanpreetsingh-msft can you please help on this ?

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

@AbhayChandramouli-2076 • Thank you for reaching out.

Azure AD B2C by default doesn't store the last login time of the users. However, you can create a custom claim that can capture the current date and time (during users' sign-in) and pass that in the access token issued after sign-in. You can then configure your application to read this claim and store it to keep track of the last time the user logged in. You can also write this value to the user's property in the B2C directory by persisting the claim but that would be a complicated task and would require a lot of testing as there is no sample currently available for this purpose.

For this purpose, you need to perform the below steps:

  1. Create a custom claim:

      <ClaimType Id="extension_LastLogin">
       <DisplayName>extension_LastLogin</DisplayName>
       <DataType>dateTime</DataType>
       <UserInputType>Readonly</UserInputType>
     </ClaimType>

  2. Create a claims transformation rule:

      <ClaimsTransformation Id="GetLastLoginDateTime" TransformationMethod="GetCurrentDateTime">
                 <OutputClaims>
                     <OutputClaim ClaimTypeReferenceId="extension_LastLogin" TransformationClaimType="currentDateTime" />
                 </OutputClaims>
     </ClaimsTransformation>

  3. Update the login-NonInteractive technical profile.

      <TechnicalProfile Id="login-NonInteractive">
         ...
           <InputClaimsTransformations>
                <InputClaimsTransformation ReferenceId="GetLastLoginDateTime" />
           </InputClaimsTransformations>
           <InputClaims>
             <InputClaim ClaimTypeReferenceId="signInName" />
             <InputClaim ClaimTypeReferenceId="extension_LastLogin" />
           </InputClaims>
           <OutputClaims>
         ...
             <OutputClaim ClaimTypeReferenceId="extension_LastLogin" />
           </OutputClaims>

  4. Update the output claims of the SelfAsserted-LocalAccountSignin-Email technical profile.

      <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
         ...
           <OutputClaims>
         ...
             <OutputClaim ClaimTypeReferenceId="extension_LastLogin" />
           </OutputClaims>

  5. Update the output claims in the Signup/Sign-in XML file:

    <OutputClaim ClaimTypeReferenceId="extension_LastLogin" PartnerClaimType="LastLogin" />

Note: If you are not using email-based sign-ins, you would need to update the relevant technical profile.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image amanpreetsingh-msft ·

@AbhayChandramouli-2076 • Just checking if you have any further questions on this.

0 Votes 0 ·