How to prevent Login in AD B2C based on an extension claim type using custom policies

Question

I have an extension claim type say extension_isEmailVerified. I want to block user from login based on the value of this claim type. If it is true

Answer 1

You can add additional validation technical profiles to validate the custom attribute and display an error message if it isn't set to the expected value as follows:

(Note that if the login-NonInteractive validation technical profile doesn't succeed then the additional validation technical profiles aren't executed.)

<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
  ...
  <Metadata>
    <Item Key="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">Oops, your email hasn't been verified.</Item>
  </Metadata>
  ...
  <ValidationTechnicalProfiles>
    <ValidationTechnicalProfile ReferenceId="login-NonInteractive" />
    <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />
    <ValidationTechnicalProfile ReferenceId="ClaimsTransformation-AssertEmailVerified" />
  </ValidationTechnicalProfiles>
</TechnicalProfile>

The ClaimsTransformation-AssertEmailVerified technical profile (see Define a claims transformation technical profile for more information about a claims transformation technical profile) is defined as:

<ClaimsProvider>
  <DisplayName>Claims Transformation</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="ClaimsTransformation-AssertEmailVerified">
      <DisplayName>Assert Email Verified Claims Transformation</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="extension_EmailVerified" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="AssertEmailVerified" />
      </OutputClaimsTransformations>
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

The AssertEmailVerified claims transformation is defined as:

<ClaimsTransformation Id="AssertEmailVerified" TransformationMethod="AssertBooleanClaimIsEqualToValue">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="extension_EmailVerified" TransformationClaimType="inputClaim" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" />
  </InputParameters>
</ClaimsTransformation>