Add Conditional Access to user flows in Azure Active Directory B2C

Before you begin, use the selector above to choose the type of policy you’re configuring. Azure AD B2C offers two methods of defining how users interact with your applications: through predefined user flows, or through fully configurable custom policies. The steps required in this article are different for each method.

Conditional Access can be added to your Azure Active Directory B2C (Azure AD B2C) user flows or custom policies to manage risky sign-ins to your applications. Azure Active Directory (Azure AD) Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies.

Conditional access flow

Automating risk assessment with policy conditions means risky sign-ins are identified immediately and then either remediated or blocked.

Note

This feature is in public preview.

Service overview

Azure AD B2C evaluates each sign-in event and ensures that all policy requirements are met before granting the user access. During this Evaluation phase, the Conditional Access service evaluates the signals collected by Identity Protection risk detections during sign-in events. The outcome of this evaluation process is a set of claims that indicates whether the sign-in should be granted or blocked. The Azure AD B2C policy uses these claims to take an action within the user flow, such as blocking access or challenging the user with a specific remediation like multi-factor authentication (MFA). “Block access” overrides all other settings.

The following example shows a Conditional Access technical profile that is used to evaluate the sign-in threat.

<TechnicalProfile Id="ConditionalAccessEvaluation">
  <DisplayName>Conditional Access Provider</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="OperationType">Evaluation</Item>
  </Metadata>
  ...
</TechnicalProfile>

In the Remediation phase that follows, the user is challenged with MFA. Once complete, Azure AD B2C informs Identity Protection that the identified sign-in threat has been remediated and by which method. In this example, Azure AD B2C signals that the user has successfully completed the multi-factor authentication challenge.

The following example shows a Conditional Access technical profile used to remediate the identified threat:

<TechnicalProfile Id="ConditionalAccessRemediation">
  <DisplayName>Conditional Access Remediation</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
  <Metadata>
    <Item Key="OperationType">Remediation</Item>
  </Metadata>
  ...
</TechnicalProfile>

Components of the solution

These are the components that enable Conditional Access in Azure AD B2C:

  • User flow or custom policy that guides the user through the sign-in and sign-up process.
  • Conditional Access policy that brings signals together to make decisions and enforce organizational policies. When a user signs into your application via an Azure AD B2C policy, the Conditional Access policy uses Azure AD Identity Protection signals to identify risky sign-ins and presents the appropriate remediation action.
  • Registered application that directs users to the appropriate Azure AD B2C user flow or custom policy.
  • TOR Browser to simulate a risky sign-in.

Service limitations and considerations

When using the Azure AD Conditional Access, consider the following:

  • Identity Protection is available for both local and social identities, such as Google or Facebook. For social identities, you need to manually activate Conditional Access. Detection is limited because social account credentials are managed by the external identity provider.
  • In Azure AD B2C tenants, only a subset of Azure AD Conditional Access policies are available.

Prerequisites

Pricing tier

Azure AD B2C Premium P2 is required to create risky sign-in policies. Premium P1 tenants can create a policy that is based on location, application, user-based, or group-based policies. For more information, see Change your Azure AD B2C pricing tier

Prepare your Azure AD B2C tenant

To add a Conditional Access policy, disable security defaults:

  1. Sign in to the Azure portal.

  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.

  3. Under Azure services, select Azure AD B2C. Or use the search box to find and select Azure AD B2C.

  4. Select Properties, and then select Manage Security defaults.

    Disable the security defaults

  5. Under Enable Security defaults, select No.

    Set the Enable security defaults toggle to No

Add a Conditional Access policy

A Conditional Access policy is an if-then statement of assignments and access controls. A Conditional Access policy brings signals together to make decisions and enforce organizational policies. The logical operator between the assignments is And. The operator in each assignment is Or.

Conditional access assignments

To add a Conditional Access policy:

  1. In the Azure portal, search for and select Azure AD B2C.

  2. Under Security, select Conditional Access (Preview). The Conditional Access Policies page opens.

  3. Select + New policy.

  4. Enter a name for the policy, such as Block risky sign-in.

  5. Under Assignments, choose Users and groups, and then select the one of the following supported configurations:

    Include License Notes
    All users P1, P2 If you choose to include All Users, this policy will affect all of your users. To be sure not to lock yourself out, exclude your administrative account by choosing Exclude, selecting Directory roles, and then selecting Global Administrator in the list. You can also select Users and Groups and then select your account in the Select excluded users list.
  6. Select Cloud apps or actions, and then Select apps. Browse for your relying party application.

  7. Select Conditions, and then select from the following conditions. For example, select Sign-in risk and High, Medium, and Low risk levels.

    Condition License Notes
    User risk P2 User risk represents the probability that a given identity or account is compromised.
    Sign-in risk P2 Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.
    Device platforms Not supported Characterized by the operating system that runs on a device. For more information, see Device platforms.
    Locations P1, P2 Named locations may include the public IPv4 network information, country or region, or unknown areas that don't map to specific countries or regions. For more information, see Locations.
  8. Under Access controls, select Grant. Then select whether to block or grant access:

    Option License Note
    Block access P1, P2 Prevents access based on the conditions specified in this conditional access policy.
    Grant access with Require multi-factor authentication P1, P2 Based on the conditions specified in this conditional access policy, the user is required to go through Azure AD B2C multi-factor authentication.
  9. Under Enable policy, select one of the following:

    Option License Note
    Report-only P1, P2 Report-only allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment. We recommend you check policy with this state, and determine the impact to end users without requiring multi-factor authentication or blocking users. For more information, see Review Conditional Access outcomes in the audit report
    On P1, P2 The access policy is evaluated and not enforced.
    Off P1, P2 The access policy is not activated and has no affect on the users.
  10. Enable your test Conditional Access policy by selecting Create.

Add Conditional Access to a user flow

After you've added the Azure AD Conditional Access policy, enable conditional access in your user flow or custom policy. When you enable conditional access, you don't need to specify a policy name.

Multiple Conditional Access policies may apply to an individual user at any time. In this case, the most strict access control policy takes precedence. For example, if one policy requires multi-factor authentication (MFA), while the other blocks access, the user will be blocked.

Enable multi-factor authentication (optional)

When adding Conditional Access to a user flow, consider the use of Multi-factor authentication (MFA). Users can use a one-time code via SMS or voice, or a one-time password via email for multi-factor authentication. MFA settings are independent from Conditional Access settings. You can set MFA to Always On so that MFA is always required regardless of your Conditional Access setup. Or, you can set MFA to Conditional so that MFA is required only when an active Conditional Access Policy requires it.

Important

If your Conditional Access policy grants access with MFA but the user hasn't enrolled a phone number, the user may be blocked.

To enable Conditional Access for a user flow, make sure the version supports Conditional Access. These user flow versions are labeled Recommended.

  1. Sign in to the Azure portal.

  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.

  3. Under Azure services, select Azure AD B2C. Or use the search box to find and select Azure AD B2C.

  4. Under Policies, select User flows. Then select the user flow.

  5. Select Properties and make sure the user flow supports Conditional Access by looking for the setting labeled Conditional Access.

    Configure MFA and Conditional Access in Properties

  6. In the Multi-factor authentication section, select the desired MFA method, and then under MFA enforcement, select Conditional (Recommended).

  7. In the Conditional Access section, select the Enforce conditional access policies check box.

  8. Select Save.

Add Conditional Access to your policy

  1. Get the example of a conditional access policy on GitHub.
  2. In each file, replace the string yourtenant with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is contosob2c, all instances of yourtenant.onmicrosoft.com become contosob2c.onmicrosoft.com.
  3. Upload the policy files.

Test your custom policy

  1. Select the B2C_1A_signup_signin_with_ca or B2C_1A_signup_signin_with_ca_whatif policy to open its overview page. Then select Run user flow. Under Application, select webapp1. The Reply URL should show https://jwt.ms.

  2. Copy the URL under Run user flow endpoint.

  3. To simulate a risky sign-in, open the Tor Browser and use the URL you copied in the previous step to sign in to the registered app.

  4. Enter the requested information in the sign-in page, and then attempt to sign in. The token is returned to https://jwt.ms and should be displayed to you. In the jwt.ms decoded token, you should see that the sign-in was blocked.

Test your user flow

  1. Select the user flow you created to open its overview page, and then select Run user flow. Under Application, select webapp1. The Reply URL should show https://jwt.ms.

  2. Copy the URL under Run user flow endpoint.

  3. To simulate a risky sign-in, open the Tor Browser and use the URL you copied in the previous step to sign in to the registered app.

  4. Enter the requested information in the sign-in page, and then attempt to sign in. The token is returned to https://jwt.ms and should be displayed to you. In the jwt.ms decoded token, you should see that the sign-in was blocked.

Review Conditional Access outcomes in the audit report

To review the result of a Conditional Access event:

  1. Sign in to the Azure portal.

  2. Select the Directory + Subscription icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.

  3. Under Azure services, select Azure AD B2C. Or use the search box to find and select Azure AD B2C.

  4. Under Activities, select Audit logs.

  5. Filter the audit log by setting Category to B2C and setting Activity Resource Type to IdentityProtection. Then select Apply.

  6. Review audit activity for up to the last seven days. The following types of activity are included:

    • Evaluate conditional access policies: This audit log entry indicates that a Conditional Access evaluation was performed during an authentication.
    • Remediate user: This entry indicates that the grant or requirements of a Conditional Access policy were met by the end user, and this activity was reported to the risk engine to mitigate (reduce the risk of) the user.
  7. Select an Evaluate conditional access policy log entry in the list to open the Activity Details: Audit log page, which shows the audit log identifiers, along with this information in the Additional Details section:

    • ConditionalAccessResult: The grant required by the conditional policy evaluation.
    • AppliedPolicies: A list of all the Conditional Access policies where the conditions were met and the policies are ON.
    • ReportingPolicies: A list of the Conditional Access policies that were set to report-only mode and where the conditions were met.

Next steps

Customize the user interface in an Azure AD B2C user flow