Azure B2C Prevent user entries

Question

I published an application on my Azure B2C tenant. There are two auth methods, one federated SAML provider and the regular Azure AD tenant. I want to avoid the users from the external SAML idp being kept in my Azure B2C tenant. For every user that successfully logs in, an user entry is created in my Azure B2C tenant. How can I prevent the user entries in my b2c tenant? This is my user journey:

  <UserJourneys>
    <UserJourney Id="UDIMASignUpOrSignIn">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <!-- <ClaimsProviderSelection TargetClaimsExchangeId="FacebookExchange" /> -->
            <ClaimsProviderSelection TargetClaimsExchangeId="CEF" />
            <ClaimsProviderSelection TargetClaimsExchangeId="UDIMA" />
          </ClaimsProviderSelections>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <ClaimsExchanges>
            <!-- <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" /> -->
            <ClaimsExchange Id="CEF" TechnicalProfileReferenceId="AADCEF-OpenIdConnect" />
            <ClaimsExchange Id="UDIMA" TechnicalProfileReferenceId="Saml2AssertionIssuer" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect
             from the user. So, in that case, create the user in the directory if one does not already exist
             (verified using objectId which would be set from the last step if account was created in the directory. -->
        
        <OrchestrationStep Order="4" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        
        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId).  -->
        
        <OrchestrationStep Order="5" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
          </ClaimsExchanges>
        </OrchestrationStep>
        
        <!-- <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="AADCEF-OpenIdConnect" /> -->
        <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
  </UserJourneys>
```

Answer 1

Please check if the provided references can be worked around.

By default, for external identity, Azure AD B2C will create a user object (objectID) in its own directory .So one maybe able to store claims that are asserted by the external IdP and also end users claims or your own application.Object id that is created by this external identity can be used to be passed to next step to process and used further.

The ObjectID attribute from Azure AD is generally saved under alternateSecurityID with identityProvider.

<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
</OutputClaims>

<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
</OutputClaimsTransformations>

Reference: AAD B2C querying for federated identities with the MS Graph API - Stack Overflow

Please check if the user is checked with its oid i.e; objectId and issuer (identity provider) to unlink or prevent to sign in or remove that user identiy.

<ClaimsTransformation Id="RemoveUserIdentityFromCollectionByIssuer" TransformationMethod="RemoveUserIdentityFromCollectionByIssuer">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="issuerToUnlink" TransformationClaimType="issuer" />
          <InputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection" />
        </InputClaims>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="userIdentities" TransformationClaimType="collection" />
        </OutputClaims>
  </ClaimsTransformation>

Please check active-directory-b2c-advanced-policies/TRUSTFRAMEWORKBASE.xml · GitHub for details.

Also Azure B2c how to prevent user to login till admin approve - Stack Overflow if required.

Reference:

active-directory-b2c-advanced-policies/account-linking at master · Azure-Samples/active-directory-b2c-advanced-policies · GitHub