Developer notes for Azure Active Directory B2C

Azure Active Directory B2C user flows and custom policies are generally available. Azure AD B2C capabilities are under continual development, so although most features are generally available, some features are at different stages in the software release cycle. This article discusses cumulative improvements in Azure AD B2C and specifies feature availability.

Terms for features in public preview

  • We encourage you to use public preview features for evaluation purposes only.
  • Service level agreements (SLAs) don't apply to public preview features.
  • Support requests for public preview features can be submitted through regular support channels.

User flows

Feature User flow Custom policy Notes
Sign-up and sign-in with email and password. GA GA
Sign-up and sign-in with username and password. GA GA
Profile editing flow GA GA
Self-Service password reset GA GA
Force password reset GA NA
Phone sign-up and sign-in GA GA
Conditional Access and Identity Protection GA GA Not available for SAML applications

OAuth 2.0 application authorization flows

The following table summarizes the OAuth 2.0 and OpenId Connect application authentication flows that can be integrated with Azure AD B2C.

Feature User flow Custom policy Notes
Authorization code GA GA Allows users to sign in to web applications. The web application receives an authorization code. The authorization code is redeemed to acquire a token to call web APIs.
Authorization code with PKCE GA GA Allows users to sign in to mobile and single-page applications. The application receives an authorization code using proof key for code exchange (PKCE). The authorization code is redeemed to acquire a token to call web APIs.
Client credentials grant GA GA Allows access web-hosted resources by using the identity of an application. Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.

To use this feature in an Azure AD B2C tenant, use the Azure AD endpoint of your Azure AD B2C tenant. For more information, see OAuth 2.0 client credentials flow. This flow doesn't use your Azure AD B2C user flow or custom policy settings.
Device authorization grant NA NA Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer.
Implicit flow GA GA Allows users to sign in to single-page applications. The app gets tokens directly without performing a back-end server credential exchange.
On-behalf-of NA NA An application invokes a service or web API, which in turn needs to call another service or web API.

For the middle-tier service to make authenticated requests to the downstream service, pass a client credential token in the authorization header. Optionally, you can include a custom header with the Azure AD B2C user's token.
OpenId Connect GA GA OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user.
OpenId Connect hybrid flow GA GA Allows a web application retrieve the ID token on the authorize request along with an authorization code.
Resource owner password credentials (ROPC) Preview Preview Allows a mobile application to sign in the user by directly handling their password.

OAuth 2.0 options

Feature User flow Custom policy Notes
Redirect sign-in to a social provider GA GA Query string parameter domain_hint.
Prepopulate the sign-in name GA GA Query string parameter login_hint.
Insert JSON into user journey via client_assertion NA Deprecated
Insert JSON into user journey as id_token_hint NA GA
Pass identity provider token to the application Preview Preview For example, from Facebook to app.

SAML2 application authentication flows

The following table summarizes the Security Assertion Markup Language (SAML) application authentication flows that can be integrated with Azure AD B2C.

Feature User flow Custom policy Notes
SP initiated NA GA POST and Redirect bindings.
IDP initiated NA GA Where the initiating identity provider is Azure AD B2C.

User experience customization

Feature User flow Custom policy Notes
Multi-language support GA GA
Custom email verification NA GA
Customize the user interface with built-in templates GA GA
Customize the user interface with custom templates GA GA By using HTML templates.
Page layout version GA GA
JavaScript GA GA
Embedded sign-in experience NA Preview By using the inline frame element <iframe>.
Password complexity GA GA
Disable email verification GA GA Not recommended for production environments. Disabling email verification in the sign-up process may lead to spam.

Identity providers

Feature User flow Custom policy Notes
AD FS NA GA
Amazon GA GA
Apple Preview Preview
Azure AD (Single-tenant) GA GA
Azure AD (Multi-tenant) NA GA
Azure AD B2C GA GA
eBay NA Preview
Facebook GA GA
GitHub GA GA
Google GA GA
ID.me GA GA
LinkedIn GA GA
Microsoft Account GA GA
QQ Preview GA
Salesforce GA GA
Salesforce (SAML protocol) NA GA
Twitter GA GA
WeChat Preview GA
Weibo Preview GA

Generic identity providers

Feature User flow Custom policy Notes
OAuth2 NA GA For example, Google, GitHub, and Facebook.
OAuth1 NA GA For example, Twitter.
OpenID Connect GA GA For example, Azure AD.
SAML2 NA GA For example, Salesforce and [AD-FS].(identity-provider-adfs.md)
WSFED NA NA

API connectors

Feature User flow Custom policy Notes
API connectors Preview GA
Secure with basic authentication Preview GA
Secure with client certificate authentication Preview GA
Secure with OAuth2 bearer authentication NA GA
Secure API key authentication NA GA

Custom policy features

Session management

Feature Custom policy Notes
Default SSO session provider GA
External login session provider GA
SAML SSO session provider GA
OAuth SSO Session Provider GA
Single sign-out Preview

Components

Feature Custom policy Notes
Phone factor authentication GA
Azure AD MFA authentication Preview
One-time password GA
Azure Active Directory as local directory GA
Predicate validations GA For example, password complexity.
Display controls GA

Developer interface

Feature Custom policy Notes
Azure portal GA
Application Insights user journey logs Preview Used for troubleshooting during development.
Application Insights event logs Preview Used to monitor user flows in production.

Responsibilities of custom policy feature-set developers

Manual policy configuration grants lower-level access to the underlying platform of Azure AD B2C and results in the creation of a unique, trust framework. The many possible permutations of custom identity providers, trust relationships, integrations with external services, and step-by-step workflows require a methodical approach to design and configuration.

Developers consuming the custom policy feature set should adhere to the following guidelines:

  • Become familiar with the configuration language of the custom policies and key/secrets management. For more information, see TrustFrameworkPolicy.
  • Take ownership of scenarios and custom integrations. Document your work and inform your live site organization.
  • Perform methodical scenario testing.
  • Follow software development and staging best practices. A minimum of one development and testing environment is recommended.
  • Stay informed about new developments from the identity providers and services you integrate with. For example, keep track of changes in secrets and of scheduled and unscheduled changes to the service.
  • Set up active monitoring, and monitor the responsiveness of production environments. For more information about integrating with Application Insights, see Azure Active Directory B2C: Collecting Logs.
  • Keep contact email addresses current in the Azure subscription, and stay responsive to the Microsoft live-site team emails.
  • Take timely action when advised to do so by the Microsoft live-site team.

Next steps