using an Android application in Azure Active Directory B2C

The Microsoft identity platform uses open standards such as OAuth2 and OpenID Connect. These standards allow you to leverage any library you wish to integrate with Azure Active Directory B2C. To help you use other libraries, you can use a walkthrough like this one to demonstrate how to configure 3rd party libraries to connect to the Microsoft identity platform. Most libraries that implement the RFC6749 OAuth2 spec can connect to the Microsoft Identity platform.


Microsoft does not provide fixes for 3rd party libraries and has not done a review of those libraries. This sample is using a 3rd party library called AppAuth that has been tested for compatibility in basic scenarios with the Azure AD B2C. Issues and feature requests should be directed to the library's open-source project. Please see this article for more information.

If you're new to OAuth2 or OpenID Connect much of this sample configuration may not make much sense to you. We recommend you look at a brief overview of the protocol we've documented here.

Get an Azure AD B2C directory

Before you can use Azure AD B2C, you must create a directory, or tenant. A directory is a container for all of your users, apps, groups, and more. If you don't have one already, create a B2C directory before you continue.

Create an application

Next, register an application in your Azure AD B2C tenant. This gives Azure AD the information it needs to communicate securely with your app.

To register an application in your Azure AD B2C tenant, you can use our new unified App registrations experience or our legacy Applications (Legacy) experience. Learn more about the new experience.

  1. Sign in to the Azure portal.
  2. Select the Directory + subscription filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
  3. In the left menu, select Azure AD B2C. Or, select All services and search for and select Azure AD B2C.
  4. Select App registrations, and then select New registration.
  5. Enter a Name for the application. For example, nativeapp1.
  6. Under Supported account types, select Accounts in any organizational directory or any identity provider.
  7. Under Redirect URI, use the drop-down to select Public client/native (mobile & desktop).
  8. Enter a redirect URI with a unique scheme. For example, com.onmicrosoft.contosob2c.exampleapp://oauth/redirect. There are important considerations when choosing a redirect URI:
    • Development For development use, you can set the redirect URI to http://localhost and Azure AD B2C will respect any port in the request. If the registered URI contains a port, Azure AD B2C will use that port only. For example, if the registered redirect URI is http://localhost, the redirect URI in the request can be http://localhost:<randomport>. If the registered redirect URI is http://localhost:8080, the redirect URI in the request must be http://localhost:8080.
    • Unique: The scheme of the redirect URI must be unique for every application. In the example com.onmicrosoft.contosob2c.exampleapp://oauth/redirect, com.onmicrosoft.contosob2c.exampleapp is the scheme. This pattern should be followed. If two applications share the same scheme, the user is given a choice to choose an application. If the user chooses incorrectly, the sign-in fails.
    • Complete: The redirect URI must have a both a scheme and a path. The path must contain at least one forward slash after the domain. For example, //oauth/ works while //oauth fails. Don't include special characters in the URI, for example, underscores.
  9. Under Permissions, select the Grant admin consent to openid and offline_access permissions check box.
  10. Select Register.

Record the Application (client) ID for use in a later step.

Also record your custom redirect URI for use in a later step. For example, com.onmicrosoft.contosob2c.exampleapp://oauth/redirect.

Create your user flows

In Azure AD B2C, every user experience is defined by a user flow, which is a set of policies that control the behavior of Azure AD. This application requires a sign-in and sign-up user flow. When you create the user flow, be sure to:

  • Choose the Display name as a sign-up attribute in your user flow.
  • Choose the Display name and Object ID application claims in every user flow. You can choose other claims as well.
  • Copy the Name of each user flow after you create it. It should have the prefix b2c_1_. You'll need the user flow name later.

After you have created your user flows, you're ready to build your app.

Download the sample code

We have provided a working sample that uses AppAuth with Azure AD B2C on GitHub. You can download the code and run it. You can quickly get started with your own app using your own Azure AD B2C configuration by following the instructions in the

The sample is a modification of the sample provided by AppAuth. Please visit their page to learn more about AppAuth and its features.

Modifying your app to use Azure AD B2C with AppAuth


AppAuth supports Android API 16 (Jellybean) and above. We recommend using API 23 and above.


You can configure communication with Azure AD B2C by either specifying the discovery URI or by specifying both the authorization endpoint and token endpoint URIs. In either case, you will need the following information:

  • Tenant ID (e.g.
  • User flow name (e.g. B2C_1_SignUpIn)

If you choose to automatically discover the authorization and token endpoint URIs, you will need to fetch information from the discovery URI. The discovery URI can be generated by replacing the <tenant-id> and the <policy-name> in the following URL:

String mDiscoveryURI = "https://<tenant-name><tenant-id>/<policy-name>/v2.0/.well-known/openid-configuration";

You can then acquire the authorization and token endpoint URIs and create an AuthorizationServiceConfiguration object by running the following:

final Uri issuerUri = Uri.parse(mDiscoveryURI);
AuthorizationServiceConfiguration config;

    new RetrieveConfigurationCallback() {
      @Override public void onFetchConfigurationCompleted(
          @Nullable AuthorizationServiceConfiguration serviceConfiguration,
          @Nullable AuthorizationException ex) {
        if (ex != null) {
            Log.w(TAG, "Failed to retrieve configuration for " + issuerUri, ex);
        } else {
            // service configuration retrieved, proceed to authorization...

Instead of using discovery to obtain the authorization and token endpoint URIs, you can also specify them explicitly by replacing the <tenant-id> and the <policy-name> in the URLs below:

String mAuthEndpoint = "https://<tenant-name><tenant-id>/<policy-name>/oauth2/v2.0/authorize";

String mTokenEndpoint = "https://<tenant-name><tenant-id>/<policy-name>/oauth2/v2.0/token";

Run the following code to create your AuthorizationServiceConfiguration object:

AuthorizationServiceConfiguration config =
        new AuthorizationServiceConfiguration(name, mAuthEndpoint, mTokenEndpoint);

// perform the auth request...


After configuring or retrieving an authorization service configuration, an authorization request can be constructed. To create the request, you will need the following information:

  • Client ID (APPLICATION ID) that you recorded earlier. For example, 00000000-0000-0000-0000-000000000000.
  • Custom Redirect URI that you recorded earlier. For example, com.onmicrosoft.contosob2c.exampleapp://oauth/redirect.

Both items should have been saved when you were registering your app.

AuthorizationRequest req = new AuthorizationRequest.Builder(

Please refer to the AppAuth guide on how to complete the rest of the process. If you need to quickly get started with a working app, check out our sample. Follow the steps in the to enter your own Azure AD B2C configuration.