Azure b2c documentation

Azure b2c documentation DEFAULT

You can integrate with Microsoft Azure Active Directory (AD) if you want to let users:

  • From within your company use your application from an Azure AD controlled by you or your organization.
  • From other companies' Azure ADs use your application. (We recommend that you configure external directories as different connections.)

Claims returned from the Azure AD enterprise connection are static; custom or optional claims will not appear in user profiles. If you need to include custom or optional claims in user profiles, use a SAML or OIDC connection instead.

To connect your application to Azure AD, you must:

  1. Register your app with Azure AD.
  2. Create an enterprise connection in Auth0.
  3. Enable the enterprise connection for your Auth0 Application.
  4. Test the connection.

To register your app with Azure AD, see Microsoft's Quickstart: Register an application with the Microsoft identity platform.

If you have more than one Azure AD directory, make sure you are in the correct directory when you register the app you want to use with Auth0.

During registration, configure the following settings:

Supported account typesTo allow users from external organizations (like other Azure AD directories) choose the appropriate multitenant option. Multitenant options include the following: Accounts in any organizational directory (Any Azure AD directory - Multitenant).
Redirect URISelect a Redirect URI type of Web, and enter your : .

Find your Auth0 domain name for redirects

If your Auth0 domain name is not shown above and you are not using our custom domains feature, your domain name is your tenant name, your regional subdomain (unless your tenant is in the US region and was created before June 2020), plus. For example, if your tenant name were , your Auth0 domain name would be and your redirect URI would be . (If your tenant is in the US and was created before June 2020, then your domain name would be .)

If you are using custom domains, your will have the following format: .

During this process, Microsoft generates an Application (client) ID for your application; you can find this on the app's Overview screen. Make note of this value.

To create a client secret, see Microsoft's Quickstart: Configure a client application to access web APIs - Add Credentials to your web application.

Once generated, make note of this value.

If you configure an expiring secret, make sure to record the expiration date; you will need to renew the key before that day to avoid a service interruption.

To add permissions, see Microsoft's Quickstart: Configure a client application to access web APIs - Add permissions to access web APIs.

You will need to configure permissions for the Microsoft Graph API.

While setting up your permissions, configure the following settings:

Delegated permissionsRequired.
Users > User.ReadSo your app can sign in users and read the signed-in users' profiles.
Directory > Directory.Read.AllSo your app can read directory data on the signed-in user's behalf.

If you want to enable extended attributes (such as Extended Profile or Security Groups), then you also must configure the following settings:

Delegated permissionsUnder Directory, select Directory.AccessAsUser.All so your app can access the directory as the signed-in user.
Application PermissionsUnder Directory, select Directory.Read.All so your app can read directory data.

Create and configure an Azure AD Enterprise Connection in Auth0. Make sure you have the Application (client) ID and the Client secret generated when you set up your app in the Microsoft Azure portal.

  1. Navigate to Auth0 Dashboard > Authentication > Enterprise, locate Microsoft Azure AD, and select its .

Create Connection Type

  1. Enter details for your connection, and select Create:
Connection nameLogical identifier for your connection; it must be unique for your tenant. Once set, this name can't be changed.
Microsoft Azure AD DomainYour Azure AD domain name. You can find this on your Azure AD directory's overview page in the Microsoft Azure portal.
Client IDUnique identifier for your registered Azure AD application. Enter the saved value of the Application (client) ID for the app you just registered in Azure AD.
Client SecretString used to gain access to your registered Azure AD application. Enter the saved value of the Client secret for the app you just registered in Azure AD.
Use common endpoint(Optional) When enabled, your application will dynamically accept users from new directories. Typically enabled if you selected a multitenant option for Supported account types for the application you just registered in Azure AD. When enabled, Auth0 will redirect users to Azure's common login endpoint, and Azure will perform Home Realm Discovery based on the domain of the user's email address.
Identity APIAPI used by Auth0 to interact with Azure AD endpoints. Learn about the differences in behavior in Microsoft's Why update to Microsoft identity platform (v2.0) doc.
AttributesBasic attributes for the signed-in user that your app can access. Indicates how much information you want stored in the Auth0 User Profile.
Extended Attributes (optional)Extended attributes for the signed-in user that your app can access.
Auth0 APIs (optional)When selected, indicates that we require the ability to make calls to the Azure AD API, which allows us to search for users in the Azure AD Graph even if they never logged in to Auth0.
Sync user profile attributes at each loginWhen enabled, Auth0 automatically syncs user profile data with each user login, thereby ensuring that changes made in the connection source are automatically updated in Auth0.
Email VerificationChoose how Auth0 sets the field in the user profile. To learn more, see Email Verification for Azure AD and ADFS.

Configure General Microsoft Azure AD Settings

  1. In the Login Experience view, you can configure how users log in with this connection.
Identity Provider domainsA comma-separated list of the domains that can be authenticated in the Identify Provider. This is only applicable when using Identifier First authentication in the Universal Login Experience.
Add button (Optional)Display a button for this connection in the login page.
Button display name (Optional)Text used to customize the login button for new Universal Login. When set the button reads: "Continue with {Button display name}".
Button logo URL (Optional)URL of image used to customize the login button for new Universal Login. When set, the Universal Login login button displays the image as a 20px by 20px square.

Optional fields are available with the New Login Experience only. Customers using the Classic experience will not see the Add button, Button display name, or Button logo URL.

  1. If you have appropriate Azure AD administrative permissions to give consent to the application so users can log in, then click Continue.

    You will be asked to log in to your Azure AD account and give consent. Otherwise, provide the given URL to your administrator so that they can give consent.

To use your new Azure AD enterprise connection, you must first enable the connection for your Auth0 Applications.

Now you're ready to test your connection.

Here are some troubleshooting tips:

I registered my application with Azure AD, but when I go back to my Azure Active Directory App registrations, I can't see my application.

You may have accidentally registered your app in the wrong Azure AD directory (or not have created an Azure AD directory at all before registering your app). It's likely easiest to re-register your app in Azure AD. Make sure you are in the correct directory when you register the app. If you need to create an Azure AD directory, follow Microsoft's Quickstart: Create a new tenant in Azure Active Directory - Create a new tenant for your organization.

I receive the following error message: "Access cannot be granted to this service because the service listing is not properly configured by the publisher".

To resolve this, try changing the Supported account types for your registered Azure AD app. Make sure you have chosen an appropriate multitenant option in the Azure AD app's Authentication settings. Multitenant options include the following: Accounts in any organizational directory (Any Azure AD directory - Multitenant).

When users try to log in, we receive the following error message: "invalid_request; failed to obtain access token".

The most likely reason for this error is an invalid or expired Azure AD Client secret. To resolve this, generate a new Client secret for your app in Azure AD, then update the Client Secret in the enterprise connection configured with Auth0.

Signing keys are used by the identity provider to sign the authentication token it issues, and by the consumer application (Auth0 in this case) to validate the authenticity of the generated token.

For security purposes, Azure AD’s signing key rolls on a periodic basis. If this happens, you do not need to take any action. Auth0 will use the new key automatically.

If you're using a custom domain, the application consent prompt for Azure AD login may label your domain as "unverified". To remove the unverified label:

  1. Verify the domain for the Auth0 application: Add your custom domain name using the Azure Active Directory portal
  2. Assign the verified domain to the Auth0 application: How to: Configure an application's publisher domain

What is Azure Active Directory B2C?

Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.

Infographic of Azure AD B2C identity providers and downstream applications

Azure AD B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks.

Azure AD B2C is a separate service from Azure Active Directory (Azure AD). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing application, and then allow anyone to sign up into those applications with no restrictions on user account.

Who uses Azure AD B2C?

Any business or individual who wishes to authenticate end users to their web/mobile applications using a white-label authentication solution. Apart from authentication, Azure AD B2C service is used for authorization such as access to API resources by authenticated users. Azure AD B2C is meant to be used by IT administrators and developers.

Custom-branded identity solution

Azure AD B2C is a white-label authentication solution. You can customize the entire user experience with your brand so that it blends seamlessly with your web and mobile applications.

Customize every page displayed by Azure AD B2C when your users sign up, sign in, and modify their profile information. Customize the HTML, CSS, and JavaScript in your user journeys so that the Azure AD B2C experience looks and feels like it's a native part of your application.

Customized sign-up and sign-in pages and background image

Single sign-on access with a user-provided identity

Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and Security Assertion Markup Language (SAML). It integrates with most modern applications and commercial off-the-shelf software.

Diagram of third-party identities federating to Azure AD B2C.

By serving as the central authentication authority for your web applications, mobile apps, and APIs, Azure AD B2C enables you to build a single sign-on (SSO) solution for them all. Centralize the collection of user profile and preference information, and capture detailed analytics about sign-in behavior and sign-up conversion.

Integrate with external user stores

Azure AD B2C provides a directory that can hold 100 custom attributes per user. However, you can also integrate with external systems. For example, use Azure AD B2C for authentication, but delegate to an external customer relationship management (CRM) or customer loyalty database as the source of truth for customer data.

Another external user store scenario is to have Azure AD B2C handle the authentication for your application, but integrate with an external system that stores user profile or personal data. For example, to satisfy data residency requirements like regional or on-premises data storage policies. However, Azure AD B2C service itself is worldwide via the Azure public cloud.

A logical diagram of Azure AD B2C communicating with an external user store.

Azure AD B2C can facilitate collecting the information from the user during registration or profile editing, then hand that data off to the external system via API. Then, during future authentications, Azure AD B2C can retrieve the data from the external system and, if needed, include it as a part of the authentication token response it sends to your application.

Progressive profiling

Another user journey option includes progressive profiling. Progressive profiling allows your customers to quickly complete their first transaction by collecting a minimal amount of information. Then, gradually collect more profile data from the customer on future sign-ins.

A visual depiction of progressive profiling.

Third-party identity verification and proofing

Use Azure AD B2C to facilitate identity verification and proofing by collecting user data, then passing it to a third-party system to perform validation, trust scoring, and approval for user account creation.

A diagram showing the user flow for third-party identity proofing.

You have learned some of the things you can do with Azure AD B2C as your business-to-customer identity platform. The following sections of this overview walk you through a demo application that uses Azure AD B2C. You're also welcome to move on directly to a more in-depth technical overview of Azure AD B2C.

Example: WoodGrove Groceries

WoodGrove Groceries is a live web application created by Microsoft to demonstrate several Azure AD B2C features. The next few sections review some of the authentication options provided by Azure AD B2C to the WoodGrove website.

Business overview

WoodGrove is an online grocery store that sells groceries to both individual consumers and business customers. Their business customers buy groceries on behalf of their company, or businesses that they manage.

options

WoodGrove Groceries offers several sign-in options based on the relationship their customers have with the store:

  • Individual customers can sign up or sign in with individual accounts, such as with a social identity provider or an email address and password.
  • Business customers can sign up or sign in with their enterprise credentials.
  • Partners and suppliers are individuals who supply the grocery store with products to sell. Partner identity is provided by Azure Active Directory B2B.

Individual (B2C), business (B2C), and partner (B2B) sign-in pages

Authenticate individual customers

When a customer selects Sign in with your personal account, they're redirected to a customized sign-in page hosted by Azure AD B2C. You can see in the following image that we've customized the user interface (UI) to look and feel just like the WoodGrove Groceries website. WoodGrove's customers should be unaware that the authentication experience is hosted and secured by Azure AD B2C.

Custom WoodGrove sign-in page hosted by Azure AD B2C

WoodGrove allows their customers to sign up and sign in by using their Google, Facebook, or Microsoft accounts as their identity provider. Or, they can sign up by using their email address and a password to create what's called a local account.

When a customer selects Sign up with your personal account and then Sign up now, they're presented with a custom sign-up page.

Custom WoodGrove sign-up page hosted by Azure AD B2C

After entering an email address and selecting Send verification code, Azure AD B2C sends them the code. Once they enter their code, select Verify code, and then enter the other information on the form, they must also agree to the terms of service.

Clicking the Create button causes Azure AD B2C to redirect the user back to the WoodGrove Groceries website. When it redirects, Azure AD B2C passes an OpenID Connect authentication token to the WoodGrove web application. The user is now signed-in and ready to go, their display name shown in the top-right corner to indicate they're signed in.

WoodGrove Groceries website header showing user is signed in

Authenticate business customers

When a customer selects one of the options under Business customers, the WoodGrove Groceries website invokes a different Azure AD B2C policy than it does for individual customers. You learn what a B2C policy is in technical overview of Azure AD B2C

This policy presents the user with an option to use their corporate credentials for sign-up and sign-in. In the WoodGrove example, users are prompted to sign in with any work or school account. This policy uses a multi-tenant Azure AD application and the Azure AD endpoint to federate Azure AD B2C with any Microsoft 365 customer in the world.

Authenticate partners

The Sign in with your supplier account link uses Azure Active Directory B2B's collaboration functionality. Azure AD B2B is a family of features in Azure Active Directory to manage partner identities. Those identities can be federated from Azure Active Directory for access into Azure AD B2C-protected applications.

Learn more about Azure AD B2B in What is guest user access in Azure Active Directory B2B?.

Next steps

Now that you have an idea of what Azure AD B2C is and some of the scenarios it can help with, dig a little deeper into its features and technical aspects.

  1. Official pacman
  2. Skyrim dragon souls
  3. Barter kings youtube
  4. Lenovo n22 chromebook

Azure AD B2C Custom Policies with the Identity Experience Framework (IEF)








A demo of Azure AD B2C Custom Policies with the Identity Experience Framework (IEF).




Active Repos:

Solutions and training for Azure AD B2C

What are the supported features and where is the supported documentation? Supported feature set of Custom Policies with IEF available via:

  1. The inline documentation in the Identity Experience Framework tab in B2C. Click on "Developer Responsibilities"
  2. Azure official documentation page

Unsupported material

A Demo of Azure AD B2C is deployed at

Samples for Including:

  • Web application /src/WingTipGamesWebApplication
  • Application Insights Viewer /src/WingTipUserJourneyPlayerWebApplication
  • Web app with admin side analytics src/WingTipToysWebApplication

The contents of this repository are unsupported and may or not be current. Replies to questions about unsupported material have the lowest priority

Why unsupported?

The Identity Experience Framework is a powerful identity engine with a very comprehensive feature set, that is used internally for Microsoft services like Azure AD B2C. Only a subset of features will be tested, monitored, documented, and supported over time. The supported list will increase quickly. Unsupported samples and documentation are provided for our fans and partners for training, and feedback only.

Azure AD B2C with external authorization store

Technical and feature overview of Azure Active Directory B2C


Technical and feature overview - Azure Active Directory B2C

An in-depth introduction to the features and technologies in Azure Active Directory B2C.










A companion to About Azure Active Directory B2C, this article provides a more in-depth introduction to the service. Discussed here are the primary resources you work with in the service, its features. Learn how these features enable you to provide a fully custom identity experience for your customers in your applications.

Azure AD B2C tenant

In Azure Active Directory B2C (Azure AD B2C), a tenant represents your organization and is a directory of users. Each Azure AD B2C tenant is distinct and separate from other Azure AD B2C tenants. An Azure AD B2C tenant is different than an Azure Active Directory tenant, which you may already have.

The primary resources you work with in an Azure AD B2C tenant are:

  • Directory - The directory is where Azure AD B2C stores your users' credentials, profile data, and your application registrations.
  • Application registrations - Register your web, mobile, and native applications with Azure AD B2C to enable identity management. You can also register any APIs you want to protect with Azure AD B2C.
  • User flows and custom policies - Create identity experiences for your applications with built-in user flows and fully configurable custom policies:
    • User flows help you quickly enable common identity tasks like sign-up, sign-in, and profile editing.
    • Custom policies let you build complex identity workflows unique to your organization, customers, employees, partners, and citizens.
  • Sign-in options - Azure AD B2C offers various sign-up and sign-in options for users of your applications:
    • Username, email, and phone sign-in - Configure your Azure AD B2C local accounts to allow sign-up and sign-in with a username, email address, phone number, or a combination of methods.
    • Social identity providers - Federate with social providers like Facebook, LinkedIn, or Twitter.
    • External identity providers - Federate with standard identity protocols like OAuth 2.0, OpenID Connect, and more.
  • Keys - Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords.

An Azure AD B2C tenant is the first resource you need to create to get started with Azure AD B2C. Learn how to:

Accounts in Azure AD B2C

Azure AD B2C defines several types of user accounts. Azure Active Directory, Azure Active Directory B2B, and Azure Active Directory B2C share these account types.

  • Work account - Users with work accounts can manage resources in a tenant, and with an administrator role, can also manage tenants. Users with work accounts can create new consumer accounts, reset passwords, block/unblock accounts, and set permissions or assign an account to a security group.
  • Guest account - External users you invite to your tenant as guests. A typical scenario for inviting a guest user to your Azure AD B2C tenant is to share administration responsibilities.
  • Consumer account - Accounts that are managed by Azure AD B2C user flows and custom policies.

Azure AD B2C user management page in the Azure portal
Figure: User directory within an Azure AD B2C tenant in the Azure portal

Consumer accounts

With a consumer account, users can sign in to the applications that you've secured with Azure AD B2C. Users with consumer accounts can't, however, access Azure resources, for example the Azure portal.

A consumer account can be associated with these identity types:

  • Local identity, with the username and password stored locally in the Azure AD B2C directory. We often refer to these identities as "local accounts."
  • Social or enterprise identities, where the identity of the user is managed by a federated identity provider. For example, Facebook, Google, Microsoft, ADFS, or Salesforce.

A user with a consumer account can sign in with multiple identities. For example username, email, employee ID, government ID, and others. A single account can have multiple identities, both local and social.

:::image type="content" source="media/technical-overview/identities.png" alt-text="Consumer account identities.":::
Figure: A single consumer account with multiple identities in Azure AD B2C

For more information, see Overview of user accounts in Azure Active Directory B2C.

Local account sign-in options

Azure AD B2C provides various ways in which users can authenticate a user. Users can sign-in to a local account, by using username and password, phone verification (also known as password-less authentication). Email sign-up is enabled by default in your local account identity provider settings.

Learn more about sign-in options or how to set up the local account identity provider.

User profile attributes

Azure AD B2C lets you manage common attributes of consumer account profiles. For example display name, surname, given name, city, and others.

You can also extend the Azure AD schema to store additional information about your users. For example, their country/region of residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multi-factor authentication. For more information, see:

with external identity providers

You can configure Azure AD B2C to allow users to sign in to your application with credentials from social and enterprise identity providers. Azure AD B2C can federate with identity providers that support OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols. For example, Facebook, Microsoft account, Google, Twitter, and AD-FS.

:::image type="content" source="media/technical-overview/external-idps.png" alt-text="External identity providers.":::

With external identity provider federation, you can offer your consumers the ability to sign in with their existing social or enterprise accounts, without having to create a new account just for your application.

On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. Once they select one of the external identity providers, they're taken (redirected) to the selected provider's website to complete the sign in process. After the user successfully signs in, they're returned to Azure AD B2C for authentication of the account in your application.

:::image type="content" source="media/technical-overview/external-idp.png" alt-text="Mobile sign-in example with a social account (Facebook).":::

To see how to add identity providers in Azure AD B2C, see Add identity providers to your applications in Azure Active Directory B2C.

Identity experiences: user flows or custom policies

In Azure AD B2C, you can define the business logic that users follow to gain access to your application. For example, you can determine the sequence of steps users follow when they sign in, sign up, edit a profile, or reset a password. After completing the sequence, the user acquires a token and gains access to your application.

In Azure AD B2C, there are two ways to provide identity user experiences:

  • User flows are predefined, built-in, configurable policies that we provide so you can create sign-up, sign-in, and policy editing experiences in minutes.

  • Custom policies enable you to create your own user journeys for complex identity experience scenarios.

The following screenshot shows the user flow settings UI, versus custom policy configuration files.

Screenshot shows the user flow settings UI, versus custom policy configuration files.

Read the User flows and custom policies overview article. It gives an overview of user flows and custom policies, and helps you decide which method will work best for your business needs.

User interface

In Azure AD B2C, you can craft your users' identity experiences so that the pages are shown blend seamlessly with the look and feel of your brand. You get nearly full control of the HTML and CSS content presented to your users when they proceed through your application's identity journeys. With this flexibility, you can maintain brand and visual consistency between your application and Azure AD B2C.

:::image type="content" source="media/technical-overview/seamless-ux.png" alt-text="Screenshots of brand-customized sign-up sign-in page.":::

For information on UI customization, see:

Custom domain

You can customize your Azure AD B2C domain in the redirect URLs for Azure AD B2C. Custom domain allows you to create a seamless experience so that the pages are shown blend seamlessly with the domain name of your application.

Screenshots of Azure AD B2C custom domain

From the user's perspective, they remain in your domain during the sign-in process rather than redirecting to the Azure AD B2C default domain For more information, see Enable custom domains.


Language customization in Azure AD B2C allows you to accommodate different languages to suit your customer needs. Microsoft provides the translations for 36 languages, but you can also provide your own translations for any language. Even if your experience is provided for only a single language, you can customize any text on the pages.

Three sign-up sign-in pages showing UI text in different languages

See how localization works in Language customization in Azure Active Directory B2C.

Email verification

Azure AD B2C ensures valid email addresses by requiring customers to verify them during the sign-up, and password reset flows. It also prevents malicious actors from using automated processes to generate fraudulent accounts in your applications.

Screenshots of Azure AD B2C email verification

You can customize the email to users that sign up to use your applications. By using the third-party email provider, you can use your own email template and From: address and subject, as well as support localization and custom one-time password (OTP) settings. For more information, see:

Add your own business logic

If you choose to use custom policies, you can integrate with a RESTful API in a user journey to add your own business logic to the journey. For example, Azure AD B2C can exchange data with a RESTful service to:

  • Display custom user-friendly error messages.
  • Validate user input to prevent malformed data from persisting in your user directory. For example, you can modify the data entered by the user, such as capitalizing their first name if they entered it in all lowercase.
  • Enrich user data by further integrating with your corporate line-of-business application.
  • Using RESTful calls, you can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and more.

Loyalty programs are another scenario enabled by Azure AD B2C's support for calling REST APIs. For example, your RESTful service can receive a user's email address, query your customer database, then return the user's loyalty number to Azure AD B2C.

The return data can be stored in the user's directory account in Azure AD B2C. The data then can be further evaluated in subsequent steps in the policy, or be included in the access token.

:::image type="content" source="media/technical-overview/lob-integration.png" alt-text="Line-of-business integration in a mobile application.":::

You can add a REST API call at any step in the user journey defined by a custom policy. For example, you can call a REST API:

  • During sign-in, just before Azure AD B2C validates the credentials
  • Immediately after sign-in
  • Before Azure AD B2C creates a new account in the directory
  • After Azure AD B2C creates a new account in the directory
  • Before Azure AD B2C issues an access token

To see how to use custom policies for RESTful API integration in Azure AD B2C, see Integrate REST API claims exchanges in your Azure AD B2C custom policy.

Protocols and tokens

  • For applications, Azure AD B2C supports the OAuth 2.0, OpenID Connect, and SAML protocols for user journeys. Your application starts the user journey by issuing authentication requests to Azure AD B2C. The result of a request to Azure AD B2C is a security token, such as an ID token, access token, or SAML token. This security token defines the user's identity within the application.

  • For external identities, Azure AD B2C supports federation with any OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML identity providers.

The following diagram shows how Azure AD B2C can communicate using various protocols within the same authentication flow:

Diagram of OIDC-based client app federating with a SAML-based IdP

  1. The relying party application starts an authorization request to Azure AD B2C using OpenID Connect.
  2. When a user of the application chooses to sign in using an external identity provider that uses the SAML protocol, Azure AD B2C invokes the SAML protocol to communicate with that identity provider.
  3. After the user completes the sign-in operation with the external identity provider, Azure AD B2C then returns the token to the relying party application using OpenID Connect.

Application integration

When a user wants to sign in to your application, the application initiates an authorization request to a user flow- or custom policy-provided endpoint. The user flow or custom policy defines and controls the user's experience. When they complete a user flow, for example the sign-up or sign-in flow, Azure AD B2C generates a token, then redirects the user back to your application.

:::image type="content" source="media/technical-overview/app-integration.png" alt-text="Mobile app with arrows showing flow between Azure AD B2C sign-in page.":::

Multiple applications can use the same user flow or custom policy. A single application can use multiple user flows or custom policies.

For example, to sign in to an application, the application uses the sign up or sign in user flow. After the user has signed in, they may want to edit their profile, so the application initiates another authorization request, this time using the profile edit user flow.

Multi-factor authentication (MFA)

Azure AD B2C multi-factor authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for your users. It provides extra security by requiring a second form of authentication, and delivers strong authentication by offering a range of easy-to-use authentication methods.

Your users may or may not be challenged for MFA based on configuration decisions that you can make as an administrator.

See how to enable MFA in user flows in Enable multi-factor authentication in Azure Active Directory B2C.

Conditional Access

Azure AD Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine remediation actions and enforce organizational policies.

Conditional access flow

Azure AD B2C evaluates each sign-in event and ensures that all policy requirements are met before granting the user access. Risky users or sign-ins may be blocked, or challenged with a specific remediation like multi-factor authentication (MFA). For more information, see Identity Protection and Conditional Access.

Password complexity

During sign up or password reset, your users must supply a password that meets complexity rules. By default, Azure AD B2C enforces a strong password policy. Azure AD B2C also provides configuration options for specifying the complexity requirements of the passwords your customers use.

Screenshot of password complexity user experience

For more information, see Configure complexity requirements for passwords in Azure AD B2C.

Force password reset

As an Azure AD B2C tenant administrator, you can reset a user's password if the user forgets their password. Or you would like to force them to reset the password periodically. For more information, see Set up a force password reset flow.

:::image type="content" source="media/technical-overview/force-password-reset-flow.png" alt-text="Force password reset flow.":::

Smart account lockout

To prevent brute-force password guessing attempts, Azure AD B2C uses a sophisticated strategy to lock accounts based on the IP of the request, the passwords entered, and several other factors. The duration of the lockout is automatically increased based on risk and the number of attempts.

Account smart lockout

For more information about managing password protection settings, see Mitigate credential attacks in Azure AD B2C.

Protect resources and customer identities

Azure AD B2C complies with the security, privacy, and other commitments described in the Microsoft Azure Trust Center.

Sessions are modeled as encrypted data, with the decryption key known only to the Azure AD B2C Security Token Service. A strong encryption algorithm, AES-192, is used. All communication paths are protected with TLS for confidentiality and integrity. Our Security Token Service uses an Extended Validation (EV) certificate for TLS. In general, the Security Token Service mitigates cross-site scripting (XSS) attacks by not rendering untrusted input.

:::image type="content" source="media/technical-overview/user-data.png" alt-text="Diagram of secure data in transit and at rest.":::

Access to user data

Azure AD B2C tenants share many characteristics with enterprise Azure Active Directory tenants used for employees and partners. Shared aspects include mechanisms for viewing administrative roles, assigning roles, and auditing activities.

You can assign roles to control who can perform certain administrative actions in Azure AD B2C, including:

  • Create and manage all aspects of user flows
  • Create and manage the attribute schema available to all user flows
  • Configure identity providers for use in direct federation
  • Create and manage trust framework policies in the Identity Experience Framework (custom policies)
  • Manage secrets for federation and encryption in the Identity Experience Framework (custom policies)

For more information about Azure AD roles, including Azure AD B2C administration role support, see Administrator role permissions in Azure Active Directory.

Auditing and logs

Azure AD B2C emits audit logs containing activity information about its resources, issued tokens, and administrator access. You can use the audit logs to understand platform activity and diagnose issues. Audit log entries are available soon after the activity that generated the event occurs.

In an audit log, which is available for your Azure AD B2C tenant or for a particular user, you can find information including:

  • Activities concerning the authorization of a user to access B2C resources (for example, an administrator accessing a list of B2C policies)
  • Activities related to directory attributes retrieved when an administrator signs in using the Azure portal
  • Create, read, update, and delete (CRUD) operations on B2C applications
  • CRUD operations on keys stored in a B2C key container
  • CRUD operations on B2C resources (for example, policies and identity providers)
  • Validation of user credentials and token issuance

Individual user audit log shown in the Azure portal

For more information on audit logs, see Accessing Azure AD B2C audit logs.

Usage analytics

Azure AD B2C allows you to discover when people sign up or sign in to your app, where the users are located, and what browsers and operating systems they use.

By integrating Azure Application Insights into Azure AD B2C custom policies, you can gain insight into how people sign up, sign in, reset their password or edit their profile. With such knowledge, you can make data-driven decisions for your upcoming development cycles.

For more information, see Track user behavior in Azure Active Directory B2C using Application Insights.

Automation using Microsoft Graph API

Use MS graph API to manage your Azure AD B2C directory. You can also create the Azure AD B2C directory itself. You can manage users, identity providers, user flows, custom policies and many more.

Learn more about how to Manage Azure AD B2C with Microsoft Graph.

Azure AD B2C service limits and restrictions

Learn more about Azure AD B2C service limits and restrictions

Next steps

Now that you have deeper view into the features and technical aspects of Azure Active Directory B2C:


B2c documentation azure

Azure Active Directory B2C Configuration


The following demo app and configuration uses Azure AD 2.0 B2C. For Enterprise customers who need details on how to configure Auth Connect with Azure AD 1.0, please contact us.

Demo App#

  1. Simple: A login/logout experience that works on the web, iOS, and Android. See it in action in this short video. To view the Azure AD configuration details, see here.

  2. Advanced: Demonstrates the use of Auth Connect to perform an OAuth login and Identity Vault to store the resulting authentication tokens on the web, iOS, and Android. To view the Azure AD configuration details, see here.

Configuration Details#

Azure Configuration#

Before integrating Auth Connect into your Ionic app, you’ll need to get Azure Active Directory (AD) up and running.


For complete information on configuring Azure AD, consult the official B2C documentation which includes tutorials on creating a B2C tenant, registering applications, and more.

Create an Azure AD B2C Tenant#

If you don't have one, create a new B2C tenant.

Register an Application#

Sign into the Azure Portal then navigate to the service page (the easiest way to find it is to search for "b2c", then choose "Azure AD B2C".)

Begin by creating a new Application under Manage -> App registrations -> New registration.

Azure app: Register new

Give your app a new name, then select the Supported Account Types.

With that in hand, set the Redirect URI. Choose “Public client/native (mobile & desktop)” - we’ll add web support in a separate step. Then, fill in the text field value with your globally unique App Id, which is used both in the Azure configuration as well as the native mobile app’s configuration. Typically, this takes the form of or reverse DNS style - . Use the formula “uniqueId://page”.

After the app user signs into Azure AD, this tells Auth Connect which page to redirect to in your app. While any page can be used, in this example we’ll use the Login page, such as . Click the register button to create the app.

Add Web Platform#

With the app created, navigate to Manage -> Authentication. Click the “Add a Platform” button. Under Web applications, choose “single-page application.”

Under Redirect URIs, specify a web URL. In this example, for local testing, we’ll use along with the name of your app's core login page (typically, ).

Next, under Logout URL, specify a web URL to redirect to once the user has logged out of your app. Again, for local testing, specify along with the name of the logout page (typically ).

Finally, under Implicit Grant, toggle “Access tokens.” Click the Configure button to save.

Azure app: Configure single-page app

Back on the Authentication page, look under the Single-page application settings. Click the “Add URI” button to add additional Redirect URIs, including those for other environments like staging or production. Click Save when ready.

Azure app: Configure web redirect uris

Expose an API#

Navigate to the “Expose an API” page. Click “Add a scope”, then for the Scope name, provide a value such as “user_impersonation.” For the display name and description fields, add details describing that this is for authenticating your users. Set the state to enabled then click the “Add scope” button.

Configure API Permissions#

Next, we need to authorize our app so it can connect to Azure B2C and retrieve user profile information alongside login credentials. Navigate to the API Permissions page then click the “Add a permission” button. Under “Select an API”, choose “My APIs” then click the name of the B2C app we’re currently configuring. Next, select the “user_impersonation” permission (or whatever name you labeled it in the previous step) then click the “Add permissions” button.

Save the application, then click on the newly added permission row. Click the “Grant admin consent for [your organization name]” button then choose “Yes.”

Click on the “user_impersonation” permission row again to open the modal window, then click to copy the link that is displayed. Note this URL, because it will be used as part of Auth Connect’s “scopes” property later.

Azure app: Get scopes link

Create User Flows (Policies)#

Create at least one User Flow, the series of pages that define the entire authentication experience for your app. At a minimum, create a flow. Once the User Flow has been created, select it from the User Flow list, then click "Run user flow" from the Overview tab. Note the URL at the top of the page, used to configure Auth Connect's property. Also consider creating a flow (detailed below).

Azure AD B2C is now ready to use with Auth Connect.

Install Auth Connect#

Run the following command to install the Auth Connect plugin. For the variable, use the globally unique App Id (ex: ) you decided on when configuring the Azure AD app above.


If you have not already setup Ionic Enterprise in your app, follow the one-time setup steps.

Next, install the plugin:

Configure Auth Connect#

It's recommended to create an class that encapsulates Azure AD and Ionic Auth Connect’s login functionality.

Generate this class using the command:

Extend the class, then configure all Azure AD details in the object:

Some of these values are unique, and must be set based on your Azure AD app’s details:

  • : Use “cordova” or “capacitor” accordingly.
  • : Your app’s Application (client) ID. Example: cebbb0be-d578-4bbd-9712-4b0fe05c06aa
  • : The URI to redirect to after the user has logged in. Use the same AUTH_URL_SCHEME variable value (App Id) from when the Auth Connect plugin was installed. Example:
  • : The URI to redirect to after the user has logged out. Example:
  • : Unlock access to protected resources, such as read/write permissions. Example: openid offline_access email picture profile

The property is used to unlock access to protected resources, such as read/write permissions. There’s a variety of attributes available; an example looks like: “openid offline_access email profile”.

In addition to the values above, add the Full Scope Value link created earlier to the property. To find it in the Azure AD B2C portal, navigate to the “Expose an API” page then click on the Scope you defined earlier. In the modal window, copy the link that appears under “Scope name.” All together, it will look similar to this:

The can be found by navigating to the main Azure AD B2C page -> Policies -> User Flows -> [Select User Flow] -> Overview tab -> Run user flow button. The discovery link is at the top page and will look like the following format:

Where is your tenant name and the is the name of the User Flow created earlier.

What's Next?#

Check out the full list of configuration options available, then implement the other steps in the Auth Connect workflow.

Implementing Password Reset#

To implement password reset functionality, a custom User Flow needs to be created. Navigate to the page, then click the "New user flow" button. Next, select the "Password reset" user flow type. As part of the section, choose "Email Addresses" at a minimum. After the user flow has been created, select it from the User Flow list, then click "Run user flow" from the Overview tab. Note the URL at the top of the page - use it as the discovery url for password reset.

Within your app, implement the following logic:

If an error is thrown after the Login function is called, inspect the property. If it starts with the string (part of the error message returned by Azure AD), then call Login again, this time specifying the location of the password reset endpoint.

What is Azure Active Directory B2C? - Azure Active Directory


Now discussing:


425 426 427 428 429