AAD B2C

PreviousIdentity Providers NextMicrosoft Entra ID

Last updated 1 year ago

Was this helpful?

AAD B2C

Azure B2C Support For HYBR

Create an Azure B2C Directory from All Resources in Azure Portal and Register the HYBR App as usual as Microsoft Entra ID.

HYBR Application registration:

Steps add custom policy to support UPN:

To support custom policies instead of the standard user flows we need to do the following before creating custom policy.

Add signing and encryption keys

Sign in to the .
Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
In the Azure portal, search for and select Azure AD B2C.
On the overview page, under Policies, select Identity Experience Framework.

Create the signing key

Select Policy Keys and then select Add.
For Options, choose Generate.
In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
For Key type, select RSA.
For Key usage, select Signature.
Select Create.

Create the encryption key

Select Policy Keys and then select Add.
For Options, choose Generate.
In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
For Key type, select RSA.
For Key usage, select Encryption.
Select Create.

Register Identity Experience Framework applications

Azure AD B2C requires you to register two applications that it uses to sign up and sign in users with local accounts: IdentityExperienceFramework, a web API, and ProxyIdentityExperienceFramework, a native app with delegated permission to the IdentityExperienceFramework app. Your users can sign up with an email address or username and a password to access your tenant-registered applications, which creates a "local account." Local accounts exist only in your Azure AD B2C tenant.

You need to register these two applications in your Azure AD B2C tenant only once.

Register the IdentityExperienceFramework application

To register an application in your Azure AD B2C tenant, you can use the App registrations experience.

Select App registrations, and then select New registration.
For Name, enter IdentityExperienceFramework.
Under Supported account types, select Accounts in this organizational directory only.
Under Redirect URI, select Web, and then enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com, where your-tenant-name is your Azure AD B2C tenant domain name.
Under Permissions, select the Grant Admin consent to openid and offline_access permissions check box.
Select Register.
Record the Application (client) ID for use in a later step.

Next, expose the API by adding a scope:

In the left menu, under Manage, select Expose an API.
Select Add a scope, then select Save and continue to accept the default application ID URI.
Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
- Scope name: user_impersonation
- Admin consent display name: Access IdentityExperienceFramework
- Admin consent description: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.
Select Add scope

Register the ProxyIdentityExperienceFramework application

Select App registrations, and then select New registration.
For Name, enter ProxyIdentityExperienceFramework.
Under Supported account types, select Accounts in this organizational directory only.
Under Redirect URI, use the drop-down to select Public client/native (mobile & desktop).
For Redirect URI, enter myapp://auth.
Under Permissions, select the Grant Admin consent to openid and offline_access permissions check box.
Select Register.
Record the Application (client) ID for use in a later step.

Next, specify that the application should be treated as a public client:

In the left menu, under Manage, select Authentication.
Under Advanced settings, enable Treat application as a public client (select Yes). Ensure that "allowPublicClient": true is set in the application manifest.
Select Save.

Now, grant permissions to the API scope you exposed earlier in the IdentityExperienceFramework registration:

In the left menu, under Manage, select API permissions.
Under Configured permissions, select Add a permission.
Select the My APIs tab, then select the IdentityExperienceFramework application.
Under Permission, select the user_impersonation scope that you defined earlier.
Select Add permissions. As directed, wait a few minutes before proceeding to the next step.
Select Grant Admin consent for (your tenant name).
Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.
Select Accept.
Select Refresh, and then verify that "Granted for ..." appears under Status for the scopes - offline_access, openid and user_impersonation. It might take a few minutes for the permissions to propagate.

Creating and Uploading Custom Policy:

Download the custom policy starter pack from the below link:

In all the files under the folder named “LocalAccounts” directory, replace the string yourtenant with the name of your Azure AD B2C tenant in all the xml files.

For example, if the name of your B2C tenant is contosotenant, all instances of yourtenant.onmicrosoft.com become contosotenant.onmicrosoft.com.

Add application IDs to the custom policy

Add the application IDs to the extensions file TrustFrameworkExtensions.xml.

Open LocalAccounts/TrustFrameworkExtensions.xml and find the element <TechnicalProfile Id="login-NonInteractive">.
Replace both instances of IdentityExperienceFrameworkAppId with the application ID of the IdentityExperienceFramework application that you created earlier.
Replace both instances of ProxyIdentityExperienceFrameworkAppId with the application ID of the ProxyIdentityExperienceFramework application that you created earlier.
Save the file.

Open SignUpOrSignin.xml and add the below line in output claims

Open PasswordReset.xml and add the below line in output claims

Save the above files and proceed to upload.

Upload the policies

Select the Identity Experience Framework menu item in your B2C tenant in the Azure portal.
Select Upload custom policy.
In this order, upload the policy files:
1. TrustFrameworkBase.xml
2. TrustFrameworkExtensions.xml
3. SignUpOrSignin.xml
4. ProfileEdit.xml
5. PasswordReset.xml

As you upload the files, Azure adds the prefix B2C_1A_ to each.

Run the custom policy and check the id_token for available claims.

Update the B2C_1A_ SignUpOrSignin and B2C_1A_ PasswordReset in HYBR webconfig under Azure B2C section.

For Removing Signup follow the below instructions:

Open TrustFrameworkBase.xml and find the below line

Remove the below line from metadata this line remove support for Sign-Up

<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>

Add the below line to metadata this line removes the Sign-Up link

<Item Key="setting.showSignupLink">false</Item>

PreviousIdentity Providers NextMicrosoft Entra ID

Last updated 1 year ago

Was this helpful?

Azure B2C Support For HYBR

Create an Azure B2C Directory from All Resources in Azure Portal and Register the HYBR App as usual as Microsoft Entra ID.

HYBR Application registration:

Steps add custom policy to support UPN:

To support custom policies instead of the standard user flows we need to do the following before creating custom policy.

Add signing and encryption keys

Sign in to the .
Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
In the Azure portal, search for and select Azure AD B2C.
On the overview page, under Policies, select Identity Experience Framework.

Create the signing key

Select Policy Keys and then select Add.
For Options, choose Generate.
In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
For Key type, select RSA.
For Key usage, select Signature.
Select Create.

Create the encryption key

Select Policy Keys and then select Add.
For Options, choose Generate.
In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
For Key type, select RSA.
For Key usage, select Encryption.
Select Create.

Register Identity Experience Framework applications

You need to register these two applications in your Azure AD B2C tenant only once.

Register the IdentityExperienceFramework application

To register an application in your Azure AD B2C tenant, you can use the App registrations experience.

Select App registrations, and then select New registration.
For Name, enter IdentityExperienceFramework.
Under Supported account types, select Accounts in this organizational directory only.
Under Redirect URI, select Web, and then enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com, where your-tenant-name is your Azure AD B2C tenant domain name.
Under Permissions, select the Grant Admin consent to openid and offline_access permissions check box.
Select Register.
Record the Application (client) ID for use in a later step.

Next, expose the API by adding a scope:

In the left menu, under Manage, select Expose an API.
Select Add a scope, then select Save and continue to accept the default application ID URI.
Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
- Scope name: user_impersonation
- Admin consent display name: Access IdentityExperienceFramework
- Admin consent description: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.
Select Add scope

Register the ProxyIdentityExperienceFramework application

Select App registrations, and then select New registration.
For Name, enter ProxyIdentityExperienceFramework.
Under Supported account types, select Accounts in this organizational directory only.
Under Redirect URI, use the drop-down to select Public client/native (mobile & desktop).
For Redirect URI, enter myapp://auth.
Under Permissions, select the Grant Admin consent to openid and offline_access permissions check box.
Select Register.
Record the Application (client) ID for use in a later step.

Next, specify that the application should be treated as a public client:

In the left menu, under Manage, select Authentication.
Under Advanced settings, enable Treat application as a public client (select Yes). Ensure that "allowPublicClient": true is set in the application manifest.
Select Save.

Now, grant permissions to the API scope you exposed earlier in the IdentityExperienceFramework registration:

In the left menu, under Manage, select API permissions.
Under Configured permissions, select Add a permission.
Select the My APIs tab, then select the IdentityExperienceFramework application.
Under Permission, select the user_impersonation scope that you defined earlier.
Select Add permissions. As directed, wait a few minutes before proceeding to the next step.
Select Grant Admin consent for (your tenant name).
Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.
Select Accept.
Select Refresh, and then verify that "Granted for ..." appears under Status for the scopes - offline_access, openid and user_impersonation. It might take a few minutes for the permissions to propagate.

Creating and Uploading Custom Policy:

Download the custom policy starter pack from the below link:

In all the files under the folder named “LocalAccounts” directory, replace the string yourtenant with the name of your Azure AD B2C tenant in all the xml files.

For example, if the name of your B2C tenant is contosotenant, all instances of yourtenant.onmicrosoft.com become contosotenant.onmicrosoft.com.

Add application IDs to the custom policy

Add the application IDs to the extensions file TrustFrameworkExtensions.xml.

Open LocalAccounts/TrustFrameworkExtensions.xml and find the element <TechnicalProfile Id="login-NonInteractive">.
Replace both instances of IdentityExperienceFrameworkAppId with the application ID of the IdentityExperienceFramework application that you created earlier.
Replace both instances of ProxyIdentityExperienceFrameworkAppId with the application ID of the ProxyIdentityExperienceFramework application that you created earlier.
Save the file.

Open SignUpOrSignin.xml and add the below line in output claims

Open PasswordReset.xml and add the below line in output claims

Save the above files and proceed to upload.

Upload the policies

Select the Identity Experience Framework menu item in your B2C tenant in the Azure portal.
Select Upload custom policy.
In this order, upload the policy files:
1. TrustFrameworkBase.xml
2. TrustFrameworkExtensions.xml
3. SignUpOrSignin.xml
4. ProfileEdit.xml
5. PasswordReset.xml

As you upload the files, Azure adds the prefix B2C_1A_ to each.

Run the custom policy and check the id_token for available claims.

Update the B2C_1A_ SignUpOrSignin and B2C_1A_ PasswordReset in HYBR webconfig under Azure B2C section.

For Removing Signup follow the below instructions:

Open TrustFrameworkBase.xml and find the below line

Remove the below line from metadata this line remove support for Sign-Up

<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>

Add the below line to metadata this line removes the Sign-Up link

<Item Key="setting.showSignupLink">false</Item>

Remove Sign-up options (Optional):

Remove Sign-up options (Optional):