Azure Active Directory B2C: User flows

The extensible policy framework of Azure Active Directory (Azure AD) B2C is the core strength of the service. Policies fully describe consumer identity experiences such as sign-up, sign-in, or profile editing. To help you set up the most common identity tasks, the Azure AD B2C portal includes predefined, configurable policies called user flows. For instance, a sign-up user flow allows you to control behaviors by configuring the following settings:

  • Account types (social accounts such as Facebook or local accounts such as email addresses) that consumers can use to sign up for the application
  • Attributes (for example, first name, postal code, and shoe size) to be collected from the consumer during sign-up
  • Use of Azure Multi-Factor Authentication
  • The look and feel of all sign-up pages
  • Information (which manifests as claims in a token) that the application receives when the user flow run finishes

You can create multiple user flows of different types in your tenant and use them in your applications as needed. User flows can be reused across applications. This flexibility enables developers to define and modify consumer identity experiences with minimal or no changes to their code.

User flows are available for use via a simple developer interface. Your application triggers a user flow by using a standard HTTP authentication request (passing a user flow parameter in the request) and receives a customized token as response. For example, the only difference between requests that invoke a sign-up user flow and requests that invoke a sign-in user flow is the user flow name that's used in the "p" query string parameter:


https://contosob2c.b2clogin.com/contosob2c.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=2d4d11a2-f814-46a7-890a-274a72a7309e      // Your registered Application ID
&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F    // Your registered Reply URL, url encoded
&response_mode=form_post                            // 'query', 'form_post' or 'fragment'
&response_type=id_token
&scope=openid
&nonce=dummy
&state=12345                                        // Any value provided by your application
&p=b2c_1_siup                                       // Your sign-up user flow

https://contosob2c.b2clogin.com/contosob2c.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=2d4d11a2-f814-46a7-890a-274a72a7309e      // Your registered Application ID
&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2F    // Your registered Reply URL, url encoded
&response_mode=form_post                            // 'query', 'form_post' or 'fragment'
&response_type=id_token
&scope=openid
&nonce=dummy
&state=12345                                        // Any value provided by your application
&p=b2c_1_siin                                       // Your sign-in user flow

Create a sign-up or sign-in user flow

This user flow handles both consumer sign-up & sign-in experiences with a single configuration. Consumers are led down the right path (sign-up or sign-in) depending on the context. It also describes the contents of tokens that the application will receive upon successful sign-ups or sign-ins. A code sample for the sign-up or sign-in user flow is available here. It is recommended that you use this user flow over a sign-up user flow or a sign-in user flow.

Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C. You should now be using the tenant that you created in the previous tutorial.

Under Manage, select User flows and click +New user flow.

Select new user flow

On the Recommended tab, select Sign up and sign in.

Select sign up and sign in user flow

Enter a user flow Name for your application to reference. For example, enter SiUpIn.

Under Identity providers and check Email signup. Optionally, you can also select social identity providers, if already configured.

Under Multifactor authentication, choose either Enabled or Disabled.

Enter a name and select Email signup as an identity provider

Under User attributes and claims, select Show more to see the full list of attributes and claims you can choose from.

In the Collect attribute column, choose the attributes you want to collect from the consumer during sign-up. For example, check Country/Region, Display Name, and Postal Code.

In the Return claim column, choose the claims you want returned in the authorization tokens sent back to your application after a successful sign-up or sign-in experience. For example, select Display Name, Identity Provider, Postal Code, User is new and User's Object ID.

Click OK.

Select some user attributes and claims and click OK button

Click Create to add the user flow. The user flow is listed as B2C_1_SiUpIn. The B2C_1_ prefix is appended to the name.

Select Run user flow. Verify the settings specified in the table then click Run user flow.

Select Run user flow

Setting Value
Application Contoso B2C app
Reply URL https://localhost:44316/

A new browser tab opens, and you can verify the sign-up or sign-in consumer experience as configured.

Note

It takes up to a minute for user flow creation and updates to take effect.

Create a sign-up user flow

If you want to only enable sign-up on your application, you use a sign-up user flow. This user flow describes the experiences that customers go through during sign-up and the contents of tokens that the application receives on successful sign-ups.

Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C. You should now be using the tenant that you created in the previous tutorial.

Under Manage, select User flows.

Click +New user flow at the top of the blade.

Under Select a user flow type, select All, and then select the version of Sign up you want to use.

The Name determines the sign-up user flow name used by your application. For example, enter SiUp.

Under Identity providers, select Email signup. Optionally, you can also select social identity providers, if already configured.

Under User attributes and claims, click Show more.

In the Collect attribute column, choose attributes that you want to collect from the consumer during sign-up. For example, select Country/Region, Display Name, and Postal Code.

In the Return claim column, choose claims that you want returned in the tokens sent back to your application after a successful sign-up experience. For example, select Display Name, Identity Provider, Postal Code, User is new, and User's Object ID.

Click OK.

Click Create. The user flow created appears as B2C_1_SiUp (the B2C_1_ fragment is automatically added).

Click Run user flow.

Select Contoso B2C app in the Application drop-down and https://localhost:44321/ in the Reply URL drop-down.

Click Run user flow. A new browser tab opens, and you can run through the consumer experience of signing up for your application.

Note

It takes up to a minute for user flow creation and updates to take effect.

Create a sign-in user flow

If you want to only enable sign-in on your application, you use a sign-in user flow. This user flow describes the experiences that customers will go through during sign-in and the contents of tokens that the application will receive on successful sign-ins.

Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C. You should now be using the tenant that you created in the previous tutorial.

Under Manage, select User flows.

Click +New user flow at the top of the blade.

Under Select a user flow type, select All, and then select the version of Sign in you want to use.

The Name determines the sign-in user flow name used by your application. For example, enter SiIn.

Under Identity providers, select an option. You can also select social identity providers, if already configured. Click OK.

Under Application claims, click Show more.

In the Return claim column, choose claims that you want returned in the tokens sent back to your application after a successful sign-in experience. For example, select Display Name, Identity Provider, Postal Code and User's Object ID. Click OK.

Click Create. Note that the user flow just created appears as B2C_1_SiIn (the B2C_1_ fragment is automatically added).

Click Run user flow.

Select Contoso B2C app in the Application drop-down and https://localhost:44321/ in the Reply URL drop-down.

Click Run user flow. A new browser tab opens, and you can run through the consumer experience of signing into your application.

Note

It takes up to a minute for user flow creation and updates to take effect.

Create a profile editing user flow

If you want to enable profile editing on your application, you use a profile editing user flow. This user flow describes the experiences that customers will go through during profile editing and the contents of tokens that the application will receive on successful completion.

Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C. You should now be using the tenant that you created in the previous tutorial.

Under Manage, select User flows and click +New user flow.

Select New user flow

On the Recommended tab, select Profile editing.

Enter a user flow Name for your application to reference. For example, enter SiPe.

Under Identity providers, check Local Account Signin. Optionally, you can also select social identity providers, if already configured.

Select Local Account Signin as an identity provider and click the OK button

Under User attributes, click Show more. In the Collect attribute column, choose attributes the consumer can view and edit in their profile. For example, check Country/Region, Display Name, and Postal Code.

In the Return claim column, choose claims you want returned in the authorization tokens sent back to your application after a successful profile editing experience. For example, select Display Name, Postal Code.

Click OK.

Select some application claims and click OK button

Click Create to add the user flow. The user flow is listed as B2C_1_SiPe. The B2C_1_ prefix is appended to the name.

Select Run user flow. Verify the settings specified in the table then click Run user flow.

Select user flow and run it

Setting Value
Application Contoso B2C app
Reply URL https://localhost:44316/

A new browser tab opens, and you can verify the profile editing consumer experience as configured.

Note

It takes up to a minute for user flow creation and updates to take effect.

Create a password reset user flow

To enable fine-grained password reset on your application, you use a password reset user flow. Note that the tenant-wide password reset option is specified here. This user flow describes the experiences that the customers will go through during password reset and the contents of tokens that the application will receive on successful completion.

Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C. You should now be using the tenant that you created in the previous tutorial.

Under Manage, select User flows and click +New user flow.

Select New user flow

On the Recommended tab, select Password reset.

Enter a user flow Name for your application to reference. For example, enter SSPR.

Under Identity providers, check Reset password using email address.

Enter name and select reset password using email address as an identity provider

Under Application claims, click Show more and choose claims you want returned in the authorization tokens sent back to your application after a successful password reset experience. For example, select User's Object ID.

Click OK.

Select some application claims and click OK button

Click Create to add the user flow. The user flow is listed as B2C_1_SSPR. The B2C_1_ prefix is appended to the name.

Click Run user flow. Verify the settings specified in the table then click Run user flow.

Select user flow and run it

Setting Value
Application Contoso B2C app
Select reply url https://localhost:44316/

A new browser tab opens, and you can verify the password reset consumer experience in your application.

Note

It takes up to a minute for policy creation and updates to take effect.

Preview user flows

As we release new features, some of these may not be available on existing policies or user flows. We plan to replace older versions with the latest of the same type once these user flows enter GA. Your existing policies or user flows will not change and in order to take advantage of these new features you will have to create new user flows.

Frequently asked questions

When you create a sign-up or sign-in user flow (with local accounts), you see a Forgot password? link on the first page of the experience. Clicking this link doesn't automatically trigger a password reset user flow.

Instead, the error code AADB2C90118 is returned to your app. Your app needs to handle this error code by invoking a specific password reset user flow. For more information, see a sample that demonstrates the approach of linking user flows.

Should I use a sign-up or sign-in user flow or a sign-up user flow and a sign-in user flow?

We recommend that you use a sign-up or sign-in user flow over a sign-up user flow and a sign-in user flow.

The sign-up or sign-in user flow has more capabilities than the sign-in user flow. It also enables you to use page UI customization and has better support for localization.

The sign-in user flow is recommended if you don't need to localize your user flows, only need minor customization capabilities for branding, and want password reset built into it.

Next steps