# AAD B2C

**Azure B2C Support For HYBR**

Create an Azure B2C Directory from All Resources in Azure Portal and Register the HYBR App as usual as Azure Active Director.

**HYBR Application registration:**

**Steps add custom policy to support UPN:**

To support custom policies instead of the standard user flows we need to do the following before creating custom policy.

**Add signing and encryption keys**

1. Sign in to the [Azure portal](https://portal.azure.com/).
2. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
3. In the Azure portal, search for and select **Azure AD B2C**.
4. On the overview page, under **Policies**, select **Identity Experience Framework**.

**Create the signing key**

1. Select **Policy Keys** and then select **Add**.
2. For **Options**, choose Generate.
3. In **Name**, enter TokenSigningKeyContainer. The prefix B2C\_1A\_ might be added automatically.
4. For **Key type**, select **RSA**.
5. For **Key usage**, select **Signature**.
6. Select **Create**.

**Create the encryption key**

1. Select **Policy Keys** and then select **Add**.
2. For **Options**, choose Generate.
3. In **Name**, enter TokenEncryptionKeyContainer. The prefix B2C\_1A\_ might be added automatically.
4. For **Key type**, select **RSA**.
5. For **Key usage**, select **Encryption**.
6. Select **Create**.

**Register Identity Experience Framework applications**

Azure AD B2C requires you to register two applications that it uses to sign up and sign in users with local accounts: *IdentityExperienceFramework*, a web API, and *ProxyIdentityExperienceFramework*, a native app with delegated permission to the IdentityExperienceFramework app. Your users can sign up with an email address or username and a password to access your tenant-registered applications, which creates a "local account." Local accounts exist only in your Azure AD B2C tenant.

You need to register these two applications in your Azure AD B2C tenant only once.

**Register the IdentityExperienceFramework application**

To register an application in your Azure AD B2C tenant, you can use the **App registrations** experience.

1. Select **App registrations**, and then select **New registration**.
2. For **Name**, enter IdentityExperienceFramework.
3. Under **Supported account types**, select **Accounts in this organizational directory only**.
4. Under **Redirect URI**, select **Web**, and then enter <https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com>, where your-tenant-name is your Azure AD B2C tenant domain name.
5. Under **Permissions**, select the *Grant admin consent to openid and offline\_access permissions* check box.
6. Select **Register**.
7. Record the **Application (client) ID** for use in a later step.

Next, expose the API by adding a scope:

1. In the left menu, under **Manage**, select **Expose an API**.
2. Select **Add a scope**, then select **Save and continue** to accept the default application ID URI.
3. Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
   * **Scope name**: user\_impersonation
   * **Admin consent display name**: Access IdentityExperienceFramework
   * **Admin consent description**: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.
4. Select **Add scope**

**Register the ProxyIdentityExperienceFramework application**

1. Select **App registrations**, and then select **New registration**.
2. For **Name**, enter ProxyIdentityExperienceFramework.
3. Under **Supported account types**, select **Accounts in this organizational directory only**.
4. Under **Redirect URI**, use the drop-down to select **Public client/native (mobile & desktop)**.
5. For **Redirect URI**, enter myapp\://auth.
6. Under **Permissions**, select the *Grant admin consent to openid and offline\_access permissions* check box.
7. Select **Register**.
8. Record the **Application (client) ID** for use in a later step.

Next, specify that the application should be treated as a public client:

1. In the left menu, under **Manage**, select **Authentication**.
2. Under **Advanced settings**, enable **Treat application as a public client** (select **Yes**). Ensure that **"allowPublicClient": true** is set in the application manifest.
3. Select **Save**.

Now, grant permissions to the API scope you exposed earlier in the *IdentityExperienceFramework* registration:

1. In the left menu, under **Manage**, select **API permissions**.
2. Under **Configured permissions**, select **Add a permission**.
3. Select the **My APIs** tab, then select the **IdentityExperienceFramework** application.
4. Under **Permission**, select the **user\_impersonation** scope that you defined earlier.
5. Select **Add permissions**. As directed, wait a few minutes before proceeding to the next step.
6. Select **Grant admin consent for (your tenant name)**.
7. Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the *Cloud application administrator* role.
8. Select **Accept**.
9. Select **Refresh**, and then verify that "Granted for ..." appears under **Status** for the scopes - offline\_access, openid and user\_impersonation. It might take a few minutes for the permissions to propagate.

**Creating and Uploading Custom Policy:**

Download the custom policy starter pack from the below link:

[Custom Policy Starter Pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip)

1. In all the files under the folder named “**LocalAccounts”** directory, replace the string yourtenant with the name of your Azure AD B2C tenant in all the xml files.

For example, if the name of your B2C tenant is *contosotenant*, all instances of yourtenant.onmicrosoft.com become contosotenant.onmicrosoft.com.

**Add application IDs to the custom policy**

Add the application IDs to the extensions file *TrustFrameworkExtensions.xml*.

1. Open LocalAccounts/**TrustFrameworkExtensions.xml** and find the element \<TechnicalProfile Id="login-NonInteractive">.
2. Replace both instances of IdentityExperienceFrameworkAppId with the application ID of the IdentityExperienceFramework application that you created earlier.
3. Replace both instances of ProxyIdentityExperienceFrameworkAppId with the application ID of the ProxyIdentityExperienceFramework application that you created earlier.
4. Save the file.

Open SignUpOrSignin.xml and add the below line in output claims

\<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="upn" />

Open PasswordReset.xml and add the below line in output claims

&#x20;\<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="upn" />

Save the above files and proceed to upload.

**Upload the policies**

1. Select the **Identity Experience Framework** menu item in your B2C tenant in the Azure portal.
2. Select **Upload custom policy**.
3. In this order, upload the policy files:
   1. *TrustFrameworkBase.xml*
   2. *TrustFrameworkExtensions.xml*
   3. *SignUpOrSignin.xml*
   4. *ProfileEdit.xml*
   5. *PasswordReset.xml*

As you upload the files, Azure adds the prefix B2C\_1A\_ to each.

Run the custom policy and check the id\_token for available claims.

Update the B2C\_1A\_ SignUpOrSignin and B2C\_1A\_ PasswordReset in HYBR webconfig under Azure B2C section.

#### Remove Sign-up options (Optional):

For Removing Signup follow the below instructions:

1. Open TrustFrameworkBase.xml and find the below line

&#x20;\<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">

1. Remove the below line from metadata this line remove support for Sign-Up

&#x20;\<Item Key="SignUpTarget">SignUpWithLogonEmailExchange\</Item>

1. Add the below line to metadata this line removes the Sign-Up link

&#x20;\<Item Key="setting.showSignupLink">false\</Item>

![](/files/-MG2vbP-foSlqrAPkQam)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudassert.com/hybr/2205.2/installation/hybr-pre-requisites/identity-providers/aad-b2c.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.