In this repo, you will find samples for several enhanced Azure AD B2C Custom CIAM User Journeys.
-
See our Custom Policy overview.
-
See our Azure AD B2C Wiki articles to help walkthrough the custom policy components.
-
See our Custom Policy Schema reference.
-
You will require to create an Azure AD B2C directory.
-
You can automate the prerequisites (where applicable) by using our using automated tool called Deploy AAD B2C Custom Policies if you already have an Azure AD B2C tenant.
Samples are available for the following categories
- Password Management
- General Security
- User Experience
- Terms of Use / Consent
- Passwordless
- Multi Factor
- Account Linking
- Identity Providers
- User Interface
- Data Residency
- User Migration
- UserInfo Endpoint
- Web Test
- CI / CD
Sample name | Description | Quick deploy | Demo |
---|---|---|---|
Password reset via email or phone verification | Verify a user via Email or SMS on a single screen. | Go | Live demo |
Force password reset | As an administrator, you can reset a user's password if the user forgets their password or you would like to force them to reset the password. In this policy sample, you'll learn how to force a password reset in these scenarios. | Go | Live demo |
Force password reset first logon | Force a user to reset their password on the first logon. | Go | |
Force password after 90 days | Force a user to reset their password after 90 days from the last time user set their password. | Go | |
Password reset only | Prevents issuing an access token to the user after resetting their password. | Go | Live demo |
Sign-up and sign-in with embedded password reset | Embed the password reset flow a part of the sign-up or sign-in policy without the AADB2C90118 error message. | Go | Live demo |
Password Reset with Phone Number | Reset a users password using Phone Number (SMS or Phone Call). | ||
Password reset without the ability to use the last password | Force password reset/change flow where the user cannot use their currently set password. | Go | Live demo |
Banned password list | Banned password list prevention during Sign up and password reset/change flow. This sample does not use an API. | Go | Live demo |
Password Reset sends verification code only if the email is registered | Display control to send verification code to users only if the email is registered against a user in the directory. | Go | Live demo |
Password history | Prevent the previous Nth password to be set during password reset/change. Requires using external storage and web services. | NA |
Sample name | Description | Quick deploy | Demo |
---|---|---|---|
Revoke Azure AD B2C session cookies | Demonstrates how to revoke the the single sign on cookies after a refresh token has been revoked. | Go | |
Google Captcha on Sign In | An example set of policies which integrate Google Captcha into the sign in journey. | NA | |
Disable and lockout an account after a period of inactivity | For scenarios where you need to prevent users logging into the application after a set number of days. The account will also be disabled at the time of the users login attempt in the case the user logs in after the time period. | Go | |
Restrict B2C Policy to specific App Registration | Only permits certain application registrations to call certain B2C policy Id's. | Go | Live demo |
Impersonation Flow | For scenarios where you require one user to impersonate another user. This is common for support desk or delegated administration of a user in an application or service. It is recommended to always issue the token of the original authenticated user and append additional information about the targeted impersonated user as part of the auth flow | Go | |
Social identity provider force email verification | When a user signs in with a social account, in some scenarios, the identity provider doesn't share the email address. This sample demonstrates how to force the user to provide and validate an email address. | NA | Live demo |
Sign-in with social identity provider and force email uniqueness | Demonstrates how to force a social account user to provide and validate their email address, and also checks that there is no other account with the same email address. | NA | |
Preventing logon for Social or External IdP Accounts when Disabled in AAD B2C | For scenarios where you would like to prevent logons via Social or External IdPs when the account has been disabled in Azure AD B2C. | NA | |
Relying party app Role-Based Access Control (RBAC) | Enables fine-grained access management for your relying party applications. Using RBAC, you can grant only the amount of access that users need to perform their jobs in your application. This sample policy (along with the REST API service) demonstrates how to read user's group membership, add the groups to JWT token and also prevent users from sign-in if they aren't members of one of predefined security groups. | NA | |
Sign-in with Conditional access | Azure Active Directory (Azure AD) Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. Automating risk assessment with policy conditions means risky sign-ins are at once identified and remediated or blocked. | Go | Live demo |
Allow/Deny based on Hostname | This sample provides an example of how to block access to particular B2C policy based on the [Hostname] of the request, e.g. allow requests made to the policy using login.contoso.com but block foo.b2clogin.com. Useful when using custom domain(s) with Azure AD B2C. | Go | |
Call center validation | A call center uses Azure AD B2C to validate a customer phoning in. To do this, the call center takes three characters from the password and asks the customer calling in to provide the three characters plus some other known facts as part of the authentication process. | NA |
Sample name | Description | Quick deploy | Demo |
---|---|---|---|
Dynamic sign up or sign in | allows dynamically detecting whether a user can sign in or sign up. The user enters their email and is asked to verify their password if the account exists. If the account does not exist, the user goes through a sign up flow. | Go | Live demo |
Split Sign-up into separate steps for email verification and account creation | When you don't want to use the default Sign-up page which shows both email verification and user registration controls on the same page at once. This sample splits the default sign-up behavior into two separate steps. First step performs Email Verification only, avoiding all other default fields related to users registration. Second step (if email verification was successful) takes the users to a new screen where they can actually create their accounts. This uses Azure AD to send out emails, no separate email provider integrations needed. | Go | Live demo |
Sign In and Sign Up with Username or Email | This sample combines the UX of both the Email and Username based journeys. | Go | Live demo |
Local account change sign-in name email address | During sign-in with a local account, a user may want to change the sign-in name (email address). This sample policy demonstrates how to allow a user to provide and validate a new email address, and store the new email address to the Azure Active Directory user account. After the user changes their email address, subsequent logins require the use of the new email address. | Go | Live demo |
Username discovery | This example shows how to discover a username by email address. It's useful when a user has forgotten their username and remembers only their email address. | NA | |
Sign-in with Home Realm Discovery and Default IdP | Demonstrates how to implement a sign in journey, where the user is automatically directed to their federated identity provider based off of their email domain. And for users who arrive with an unknown domain, they are redirected to a default identity provider. | NA | |
Email delivered account redemption link | This sample demonstrates how to allow the user to sign up to a web application by providing their email which sends the user a magic link to complete their account creation to their email. | NA | |
Sign-in with a magic link | This sample demonstrates how a user can sign in to your web application by sending them a sign-in link. A magic link can be used to pre-populate user information, or accelerate the user through the user journey. | NA | |
Username based journey | For scenarios where you would like users to sign up and sign in with Usernames rather than Emails. | Go | Live demo |
Dynamic identity provider selection | Demonstrates how to dynamically filter the list of social identity providers rendered to the user based on the requests application ID. In the following screenshot user can select from the list of identity providers, such as Facebook, Google+ and Amazon. With Azure AD B2C custom policies, you can configure the technical profiles to be displayed based a claim's value. The claim value contains the list of identity providers to be rendered. | NA | |
Home Realm Discovery page | Demonstrates how to create a home realm discovery page. On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name. |
NA | |
Delete my account | Demonstrates how to delete a local or social account from the directory | Go | Live demo |
Integrate REST API claims exchanges and input validation | A sample .Net core web API, demonstrates the use of Restful technical profile in user journey's orchestration step and as a validation technical profile. | NA | |
sign-up or sign-in policy with a deep link to sign-up page | Adds a direct link to the sign-up page. A relying party application can include a query string parameter that takes the user directly to the sign-up page. | Go | Live demo |
Allow sign up from specific email domains | This policy demonstrates how to validate the email address domain name against a list of allowed domains. | Go | Live demo |
Sample name | Description | Quick deploy | Demo |
---|---|---|---|
Provide consent UI to API scopes | For scenarios where you provide a plug and play service to other partners. When the user chooses to use your service through a partner application, the user must login with their account with your service, and consent to various scopes which allow your service to share information with the partner application. | Go | Live demo |
Sign Up and Sign In with dynamic 'Terms of Use' prompt | Demonstrates how to incorporate a TOU or T&Cs into your user journey with the ability for users to be prompted to re-consent when the TOU/T&Cs change. | Go | |
Azure AD B2C Invitation | This sample console app demonstrates how to send a sign-up email invitation. After you sent the invitation, the user clicks on the Confirm account link, which opens the sign-up page (without the need to validate the email again). Use this approach when you need to create the users account beforehand, while allowing the user to choose the password on initial sign in. This approach is better than creating an account via Graph API and sending the password to the user via some communication means. | NA |
Sample name | Description | Quick deploy |
---|---|---|
Password-less sign-in with email verification | Password-less authentication is a type of authentication where user doesn't need to sign-in with their password. This is commonly used in B2C scenarios where users use your application infrequently and tend to forget their password. This sample policy demonstrates how to allow user to sign-in, simply by providing and verifying the sign-in email address using OTP code (one time password). | Go |
Login with Phone Number | An example set of policies for password-less login via Phone Number (SMS or Phone Call). | Go |
Sample name | Description | Quick deploy | Demo |
---|---|---|---|
Microsoft Authenticator TOTP | Integrate native Microsoft Authenticator TOTP flow - Enroll a user in TOTP with an authenticator app | Go | Live demo |
Custom email verification - DisplayControls | Allows you to send your own custom email verification email during sign-up or password reset user journey's. The is a working example of the sample reference on the Microsoft B2C documentation site - Custom email verification in Azure Active Directory B2C | NA | |
Custom SMS provider - DisplayControls | Integrate a custom SMS provider in Azure Active Directory B2C (Azure AD B2C) to customized SMS' to users that perform multi factor authentication to your application. By using DisplayControls (currently in preview) and a third-party SMS provider, you can use your own contextualized SMS message, custom Phone Number, as well as support localization and custom one-time password (OTP) settings. | NA | |
Email second-factor | For scenarios where you would like users to validate their email via OTP on every sign in. | Go | Live demo |
Sign-in with FIDO | Demonstrates how to sign-in with a FIDO authenticator (as a first factor authentication). This policy use the WebAuthn standard to register new credential and sign-in with FIDO credential. | NA | |
Integrate Twilio Verify API for PSD2 SCA | The following sample guides you through integrating Azure AD B2C authentication with Twilio Verify API to enable your organization to meet PSD2 SCA requirements. | NA | |
Edit MFA phone number | Demonstrates how to allow user to provide and validate a new MFA phone number. After the user changes their MFA phone number, on the next login, the user needs to provide the new phone number instead of the old one. | Go | Live demo |
Sign In With Authenticator | This is a sample to show how you can create a B2C Custom Policy to signin with Authenticator Apps to B2C. It is related to the custom-mfa-totp sample, which shows how to use the Authenticator app as MFA. | NA | |
Authy App multi-factor authentication | Custom MFA solution, based on Authy App (push notification). Allowing users to sign-in with Twilio Auth App (authenticator apps). | NA | |
MFA with either Phone (Call/SMS) or Email verification | Allow the user to do MFA by either Phone (Call/SMS) or Email verification, with the ability to change this preference via Profile Edit. | Go | Live demo |
Add & Select 2 MFA phone numbers at SignIn/SignUp | Demonstrates how to store two phone numbers in a secure manner in B2C and choose between any two at signIn. The flow prompts the user to store a secondary phone if only one phone number is one file. Once the two numbers are stored as part of SignUp or SignIn the user is given a choice to select between the two phones for their MFA on subsequent signIns. | Go | Live demo |
MFA after timeout or IP change | A policy which forces the user to do MFA on 3 conditions: The user has newly signed up, the user has not done MFA in the last X seconds, the user is logging in from a different IP than they last logged in from. | Go | |
Unknown Devices MFA - device fingerprinting | Demonstrates how to detect unknown devices which might be required to prompt MFA as illustrated in this particular sample or send email to the user signing in from unknown device. | Go |
Sample name | Description | Quick deploy |
---|---|---|
Auto account linking | This policy sample demonstrates how to link an account when a user arrives with the same email as an existing account. When the email is detected as being the same, the user is prompted to sign in with one of the methods already registered on the existing account. Once complete, the account is linked. | Go |
Account linkage | (new version, one policy for both link and unlink) - With Azure AD B2C an account can have multiple identities, local (username and password) or social/enterprise identity (such as Facebook or AAD). This Azure AD B2C sample demonstrates how to link and unlink existing Azure AD B2C account to a social identity. Unified policy for link and unlink. | NA |
Account linkage | (a policy for link and another policy for unlink.) - With Azure AD B2C an account can have multiple identities, local (username and password) or social/enterprise identity (such as Facebook or AAD). This Azure AD B2C sample demonstrates how to link and unlink existing Azure AD B2C account to a social identity. | NA |
Link a local account to federated account | Demonstrates how to link a user who logged in via a federated provider to a pre-created AAD B2C Local Account. | NA |
Sign-up with social and local account | Demonstrate how to create a policy that allows a user to sign-up with a social account linked to local account | NA |
Sample name | Description | Quick deploy |
---|---|---|
Sign in with Apple as a Custom OpenID Connect identity provider | Demonstrates how to gather the correct configuration information to setup Sign in with Apple as an OpenID Connect identity provider. | NA |
Sign in with Kakao | This sample shows how to setup Kakao as an identity provider in Azure AD B2C. Kakao is a South Korean Internet company that provides a diverse set of services. | NA |
Sign in with REST API identity provider | Demonstrates how allow users to sign-in with credentials stored in a legacy identity provider using REST API services. | NA |
Sign in through Azure AD as the identity provider, and include original Idp token | Demonstrates how to sign in through a federated identity provider, Azure AD, and include the original identity provider token (Azure AD Bearer Token) as part of the B2C issued token. | NA |
Custom claims provider | A custom OpenId connect claims provider that federates with Azure AD B2C over OIDC protocol. | NA |
Obtain the Microsoft Graph access token for an Azure AD Federated logon | For scenarios where we would like to obtain the Microsoft Graph API token for a Azure AD federated logon in the context of the logged in user. For example this could be used to read the users Exchange Online mailbox within an Azure AD B2C application. | NA |
AAD Authentication with REST | Pass through authentication to Azure AD (no user created in B2C), then calls a REST API to obtain more claims. | NA |
Sample name | Description | Quick deploy |
---|---|---|
Render dynamic dropdown box | For scenarios where you would like to fetch information during the runtime of the authentication flow, and display this data as a dropdown box dynamically for the user to make a selection. In this example, a users identifier is sent to an API, which returns a set of emails for them to select. The selected email is returned in the token. | NA |
Sample name | Description | Quick deploy |
---|---|---|
Remote profile | Demonstrates how to store and read user profiles from a remote database. | NA |
Remote profile geo-based | Demonstrates storing user profile either in B2C directory or in different Azure Table Storages based in user geography setting. | NA |
Encrypted profile | Demonstrates how to store and read user profiles from Azure AD B2C using encrypted data. | NA |
Sample name | Description | Quick deploy |
---|---|---|
Seamless account migration | Where accounts have been pre-migrated into Azure AD B2C and you want to update the password on the account on initial sign in. Azure AD B2C calls a REST API to validate the credentials for accounts marked as requiring migration (via attribute) against a legacy identity provider, returns a successful response to Azure AD B2C, and Azure AD B2C writes the password to the account in the directory. | NA |
Seamless account migration from AWS | This is an end-to-end sample for migrating the users from AWS Cognito to Azure AD B2C. | NA |
Just in time migration v1 | In this sample Azure AD B2C calls a REST API that validates the credential, and migrate the account with a Graph API call. | NA |
Just in time migration v2 | In this sample Azure AD B2C calls a REST API to validate the credentials, return the user profile to B2C from an Azure Table, and B2C creates the account in the directory. | |
B2C to B2C Migration | Migrate users from one B2C instance to another using just in time migration. | NA |
Sample name | Description | Quick deploy |
---|---|---|
UserInfo Endpoint | The UserInfo endpoint is part of the OpenID Connect standard (OIDC) specification and is designed to return claims about the authenticated user. The UserInfo endpoint is defined in the relying party policy using the EndPoint element. | Go |
Sample name | Description | Quick deploy |
---|---|---|
SignIn Web Test using Azure App Insights | This sample web test shows how to run tests and monitor results of B2C sign in's, using Azure Application Insights. | NA |
Sample name | Description | Quick deploy |
---|---|---|
Azure DevOps pipeline for Azure AD B2C | Uploads policies regardless of naming convention Azure DevOps automated pipeline. | NA |
Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.