Azure AD B2C Session Management

by

Azure AD B2C Session Management: Preventing User Creation After Abrupt Session Closure

Summary

  • Azure AD B2C unexpectedly creates user profiles if a session terminates abruptly after users submit signup information.
  • Occurs specifically during the final signup stages (e.g., post-submit/continue click), leaving the user journey incomplete.
  • Impacts systems relying on custom policies that trigger user creation prematurely before essential verification steps.

Root Cause

  • Premature write operations: User creation tasks initiate immediately upon form submission in the policy journey.
  • Stateless HTTP nature: No mechanism distinguishes between intentional submission completion vs. client disconnection.
  • Synchronous orchestration steps: Identity framework processes actions sequentially without atomic transaction rollbacks upon session termination.

Why This Happens in Real Systems

  • Session interruptions are common due to:
    • Mobile network disruptions during form submission
    • Users closing browsers/apps immediately after clicking buttons
    • Browser crashes or tab closures mid-process
  • Stateless architectures prioritize throughput over transactional safety for multi-step workflows
  • Frontend UI elements (e.g., submit buttons) may trigger backend processes before UI confirms completion to end-users

Real-World Impact

  • Orphaned accounts: Users exist in the directory without credentials/profile data
  • Data integrity issues: Partial/inconsistent user attributes persist in storage
  • Support overhead: Manual cleanup requires admin intervention for ghost accounts
  • UX failures: Returning users face authentication errors despite initiating signup
  • Compliance risks: Storage of incomplete PII data violating GDPR/CCPA rules

Example or Code (if applicable)

xml











How Senior Engineers Fix It

  • Atomic transaction redesign:

    • Defer user writes until all prerequisite steps (e.g., email verification) complete
    • Validate session_state tokens before committing persistence operations

  • Interstep validation:

    Integrate pre-creation checkpoints:

    xml

  • Asynchronous processing:

  • Edge monitoring:

  • Policy guardrails:

Why Juniors Miss It

  • Stateless mindset: Assumption that HTTP submission success guarantees full processing
  • Policy tunnel vision: Focusing on happy-path validation without edge-case session analysis
  • Lack of resiliency patterns: Inexperience with distributed system failure modes
  • Testing gaps: Validating only successful flows without chaos engineering simulations
  • Event-timing opacity: Underestimating UI/backend race conditions in orchestration steps 
    Use Azure Functions to handle creation only after receiving explicit confirmation events
Configure Application Insights to flag sessions ending before `UserJourneyRecorder` milestones
Replace `AAD-UserWrite` with a temporary storage method until journey completion