Developer notes for Azure Active Directory B2C

Azure Active Directory B2C user flows and custom policies are generally available. Azure AD B2C capabilities are under continual development, so although most features are generally available, some features are at different stages in the software release cycle. This article discusses cumulative improvements in Azure AD B2C and specifies feature availability.

Terms for features in public preview

  • We encourage you to use public preview features for evaluation purposes only.

  • Service level agreements (SLAs) don't apply to public preview features.

  • Support requests for public preview features can be submitted through regular support channels.

User flows

Feature User flow Custom policy Notes
Sign-up and sign-in with email and password. GA GA
Sign-up and sign-in with username and password. GA GA
Profile editing flow GA GA
Self-Service password reset GA GA
Force password reset GA NA
Phone sign-up and sign-in GA GA
Conditional Access and Identity Protection GA GA Not available for SAML applications
Smart lockout GA GA
CAPTCHA Preview Preview You can enable it during sign-up or sign-in for Local accounts.

OAuth 2.0 application authorization flows

The following table summarizes the OAuth 2.0 and OpenId Connect application authentication flows that can be integrated with Azure AD B2C.

Feature User flow Custom policy Notes
Authorization code GA GA Allows users to sign in to web applications. The web application receives an authorization code. The authorization code is redeemed to acquire a token to call web APIs.
Authorization code with PKCE GA GA Allows users to sign in to mobile and single-page applications. The application receives an authorization code using proof key for code exchange (PKCE). The authorization code is redeemed to acquire a token to call web APIs.
Client credentials flow Preview Preview Allows access web-hosted resources by using the identity of an application. Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
Device authorization grant NA NA Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer.
Implicit flow GA GA Allows users to sign in to single-page applications. The app gets tokens directly without performing a back-end server credential exchange.
On-behalf-of NA NA An application invokes a service or web API, which in turn needs to call another service or web API.

For the middle-tier service to make authenticated requests to the downstream service, pass a client credential token in the authorization header. Optionally, you can include a custom header with the Azure AD B2C user's token.
OpenId Connect GA GA OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user.
OpenId Connect hybrid flow GA GA Allows a web application retrieve the ID token on the authorize request along with an authorization code.
Resource owner password credentials (ROPC) GA GA Allows a mobile application to sign in the user by directly handling their password.
Sign-out GA GA
Single sign-out NA Preview

OAuth 2.0 options

Feature User flow Custom policy Notes
Redirect sign-in to a social provider GA GA Query string parameter domain_hint.
Prepopulate the sign-in name GA GA Query string parameter login_hint.
Insert JSON into user journey via client_assertion NA Deprecated
Insert JSON into user journey as id_token_hint NA GA
Pass identity provider token to the application Preview Preview For example, from Facebook to app.
Keep me signed in (KMSI) GA GA

SAML2 application authentication flows

The following table summarizes the Security Assertion Markup Language (SAML) application authentication flows that can be integrated with Azure AD B2C.

Feature User flow Custom policy Notes
SP initiated NA GA POST and Redirect bindings.
IDP initiated NA GA Where the initiating identity provider is Azure AD B2C.

User experience customization

Feature User flow Custom policy Notes
Multi-language support GA GA
Custom domains GA GA
Custom email verification NA GA
Customize the user interface with built-in templates GA GA
Customize the user interface with custom templates GA GA By using HTML templates.
Page layout version GA GA
JavaScript GA GA
Embedded sign-in experience NA Preview By using the inline frame element <iframe>.
Password complexity GA GA
Disable email verification GA GA Not recommended for production environments. Disabling email verification in the sign-up process may lead to spam.

Identity providers

Feature User flow Custom policy Notes
AD FS NA GA
Amazon GA GA
Apple GA GA
Microsoft Entra ID (Single-tenant) GA GA
Microsoft Entra ID (multitenant) NA GA
Azure AD B2C GA GA
eBay NA Preview
Facebook GA GA
GitHub Preview GA
Google GA GA
ID.me GA GA
LinkedIn GA GA
Microsoft Account GA GA
QQ Preview GA
Salesforce GA GA
Salesforce (SAML protocol) NA GA
Twitter GA GA
WeChat Preview GA
Weibo Preview GA

Generic identity providers

Feature User flow Custom policy Notes
OAuth2 NA GA For example, Google, GitHub, and Facebook.
OAuth1 NA GA For example, Twitter.
OpenID Connect GA GA For example, Microsoft Entra ID.
SAML2 NA GA For example, Salesforce and AD-FS.
WSFED NA NA

API connectors

Feature User flow Custom policy Notes
After federating with an identity provider during sign-up GA GA
Before creating the user GA GA
Before including application claims in token Preview GA
Secure with basic authentication GA GA
Secure with client certificate authentication GA GA
Secure with OAuth2 bearer authentication NA GA
Secure API key authentication NA GA

Custom policy features

Session management

Feature Custom policy Notes
Default SSO session provider GA
External login session provider GA
SAML SSO session provider GA
OAuth SSO Session Provider GA

Components

Feature Custom policy Notes
MFA using time-based one-time password (TOTP) with authenticator apps GA Users can use any authenticator app that supports TOTP verification, such as the Microsoft Authenticator app.
Phone factor authentication GA
Microsoft Entra multifactor authentication authentication GA
One-time password GA
Microsoft Entra ID as local directory GA
Predicate validations GA For example, password complexity.
Display controls GA
Sub journeys GA

Developer interface

Feature Custom policy Notes
Azure portal GA
Application Insights user journey logs Preview Used for troubleshooting during development.
Application Insights event logs Preview Used to monitor user flows and custom policies in production.

Other features

Feature Status Notes
Go-Local add-on GA Azure AD B2C's Go-Local add-on enables you to create Azure AD B2C tenant within the country/region you choose when you create your Azure AD B2C.

Responsibilities of custom policy feature-set developers

Manual policy configuration grants lower-level access to the underlying platform of Azure AD B2C and results in the creation of a unique, trust framework. The many possible permutations of custom identity providers, trust relationships, integrations with external services, and step-by-step workflows require a methodical approach to design and configuration.

Developers consuming the custom policy feature set should adhere to the following guidelines:

  • Become familiar with the configuration language of the custom policies and key/secrets management. For more information, see TrustFrameworkPolicy.
  • Take ownership of scenarios and custom integrations. Document your work and inform your live site organization.
  • Perform methodical scenario testing.
  • Follow software development and staging best practices. A minimum of one development and testing environment is recommended.
  • Stay informed about new developments from the identity providers and services you integrate with. For example, keep track of changes in secrets and of scheduled and unscheduled changes to the service.
  • Set up active monitoring, and monitor the responsiveness of production environments. For more information about integrating with Application Insights, see Azure Active Directory B2C: Collecting Logs.
  • Keep contact email addresses current in the Azure subscription, and stay responsive to the Microsoft live-site team emails.
  • Take timely action when advised to do so by the Microsoft live-site team.

Next steps