Azure AD B2C provider settings for portals

Azure Active Directory (Azure AD) powers Office 365 and Dynamics 365 services for employee or internal authentication. Azure Active Directory B2C is an extension to that authentication model that enables external customer sign-ins through local credentials and federation with various common social identity providers.

A portal owner can configure the portal to accept Azure AD B2C as an identity provider. Azure AD B2C supports Open ID Connect for federation.

In the process of configuring Azure AD B2C as an identity provider for your portal, multiple values are generated that you will use later while you configure the portal. You can note these values in the following table. While configuring the portal, replace the variable name with the values you note here.

Variable Name Value Description
Application-Name Name of the application that represents the portal as a relying party
Application-ID The Application ID associated with the application created in Azure Active Directory B2C.
Issuer-URL The Issuer (iss) URL defined in the metadata endpoint.
Federation-Name A unique name to identify the type of federation provider such as 'B2C'. This will be used in Site Setting names to group configuration settings for this specific provider.

Use Azure AD B2C as an identity provider for your portal

  1. Sign in to your Azure portal.

  2. Create an Azure AD B2C tenant.

  3. Select Azure AD B2C on the leftmost navigation bar.

  4. Create Azure application.


    You must choose Yes for the Allow implicit flow field and specify your portal URL in the Reply URL field. The value in the Reply URL field should be in the format [portal domain]/signin-[Federation-Name]. For example,

  5. Copy the application name, and enter it as the value of Application-Name in the preceding table.

  6. Copy the application (client) ID, and enter it as the value of Application-ID in the preceding table.

  7. Create a sign-up or sign-in policy.

  8. Navigate to Azure AD B2C resource.

  9. Select User flows under Policies.

  10. Choose the newly created Sign up and sign in policy.

  11. From Settings list, select Properties

  12. Under Token compatability settings, from the Issuer (iss) claim list, select the URL that has /tfp in its path.

  13. Save the policy.

  14. Select the URL in the Metadata endpoint for this policy field.

  15. Copy the value of the issuer field and enter it as the value of Issuer-URL in the preceding table.

Portal configuration

After creating and configuring the B2C tenant in Azure, you must configure your portal to federate with Azure AD B2C by using the Open ID Connect protocol. You must create a unique name for your federation to Azure AD B2C—for example, B2C—and store it as the value of the Federation-Name variable in the above table.

Configure your portal

  1. Open the Portal Management app.

  2. Go to Portals > Websites.

  3. Select the website record for which Azure AD B2C needs to be enabled.

  4. Go to Site Settings.

  5. Create the following site settings:

    • Name: Authentication/OpenIdConnect/[Federation-Name]/Authority

      Value: [Issuer-URL]

    • Name: Authentication/OpenIdConnect/[Federation-Name]/ClientId

      Value: [Application-ID]

    • Name: Authentication/OpenIdConnect/[Federation-Name]/RedirectUri

      Value: [portal domain]/signin-[Federation-Name]

      For example,

  6. To support a federated sign-out, create the following site setting:

    • Name: Authentication/OpenIdConnect/[Federation-Name]/ExternalLogoutEnabled

      Value: true

  7. To hardcode your portal to a single identity provider, create the following site setting:

    • Name: Authentication/Registration/LoginButtonAuthenticationType

      Value: [Issuer-URL]

  8. To support password reset, create the required site settings described here.

  9. To support claims mapping, create the required site settings described here.

For a complete list of related site settings, see here.

Password reset

The following site settings are required if you want to support password reset with Azure AD B2C local accounts:

Site Setting Description
Authentication/OpenIdConnect/[Federation-Name/PasswordResetPolicyId ID of the password reset policy.
Authentication/OpenIdConnect/[Federation-Name]/ValidIssuers A comma-delimited list of issuers that includes the [Issuer-URL] and the issuer of the password reset policy.
Authentication/OpenIdConnect/[Federation-Name]/DefaultPolicyId ID of the sign-in or sign-up policy.

You can create or configure the following site settings in portals to support Azure AD B2C as an identity provider:

Site Setting Description
Authentication/Registration/ProfileRedirectEnabled Specifies whether the portal can redirect users to the profile page after successful sign-in. By default, it is set to true.
Authentication/Registration/EmailConfirmationEnabled Specifies whether email validation is required. By default, it is set to true.
Authentication/Registration/LocalLoginEnabled Specifies whether local sign-in is required. By default, it is set to true.
Authentication/Registration/ExternalLoginEnabled Enables or disables external authentication.
Authentication/Registration/AzureADLoginEnabled Enables or disables Azure AD as an external identity provider. By default, it is set to true.
Authentication/OpenIdConnect/[Federation-Name]/ExternalLogoutEnabled Enables or disables federated sign-out. When set to true, users are redirected to the federated sign-out user experience when they sign out from the portal. When set to false, users are signed out from the portal only. By default, it is set to false.
Authentication/LoginTrackingEnabled (Deprecated) Enables or disables tracking the user's last sign-in. When set to true, the date and time are displayed in the Last Successful Sign-in field on the contact record. By default, this is set to false. Login tracking is deprecated. For more information, go to Login tracking FAQ.
Authentication/OpenIdConnect/[Federation-Name]/RegistrationEnabled Enables or disables the registration requirement for the existing identity provider. When set to true, registration is enabled for the existing provider only if the site setting Authentication/Registration/Enabled is also set to true. By default, it is set to true.
Authentication/OpenIdConnect/[Federation-Name]/PostLogoutRedirectUri Specifies the URL within the portal to redirect to after a user signs out.

If registration is disabled for a user after the user has redeemed an invitation, display a message by using the following content snippet:

Name: Account/Register/RegistrationDisabledMessage

Value: Registration has been disabled.

Customize the Azure AD B2C user interface

Azure AD B2C supports user interface customization. You can customize the user experience for sign-up and sign-in scenarios.

Step 1: Create a web template

Create a web template by using the following values:

Name: Azure AD B2C Custom Page

Source: Use the following sample web template source HTML.

<!DOCTYPE html>
<html lang=en-US>
    <meta charset=utf-8>
    <meta name=viewport content=width=device-width, initial-scale=1.0>
    <meta http-equiv=X-UA-Compatible content=IE=edge>
      {{ page.title | h }}
                        <link href={{ request.url | base }}/bootstrap.min.css rel=stylesheet>
                        <link href={{ request.url | base }}/theme.css rel=stylesheet>
                          .page-heading {
            padding-top: 20px;
      .page-copy {
            margin-bottom: 40px;
      .highlightError {
        border: 1px solid #cb2027!important;
        background-color: #fce8e8!important;
      .attrEntry .error.itemLevel {
        display: none;
        color: #cb2027;
        font-size: .9em;
      .error {
        color: #cb2027;
      .entry {
        padding-top: 8px;
        padding-bottom: 0!important;
      .entry-item {
        margin-bottom: 20px;
      .intro {
        display: inline;
        margin-bottom: 5px;
      .pageLevel {
          width: 293px;
          text-align: center;
          margin-top: 5px;
          padding: 5px;
          font-size: 1.1em;
          height: auto;
      #panel, .pageLevel, .panel li, label {
          display: block;
      #forgotPassword {
          font-size: .75em;
          padding-left: 5px;
      #createAccount {
          margin-left: 5px;
      .working {
          display: none;
          background: url(data:image/gif;base64,R0lGODlhbgAKAPMAALy6vNze3PTy9MTCxOTm5Pz6/Ly+vNTS1Pz+/�N0Jp6BUJ9EBIISAQAh+QQJCQAKACxRAAIABgAGAAAEE1ClYU4RIIMTdCaegVCfRASCEgEAOw==) no-repeat;
          height: 10px;
          width: auto;
      .divider {
        margin-top: 20px;
        margin-bottom: 10px;
      .divider h2 {
        display: table;
        white-space: nowrap;
        font-size: 1em;
        font-weight: 700;
      .buttons {
        margin-top: 10px;
      button {
            border:1px solid #FFF;
            transition:background 1s ease 0s;
            padding:0 2px

      button:hover {
            border:1px solid #3079ed;
            -moz-box-shadow:0 0 0;
            -webkit-box-shadow:0 0 0;
            box-shadow:0 0 0
      .password-label label {
        display: inline-block;
        vertical-align: baseline;
      img {
      .divider {
      .divider h2 {
      .divider h2:after,.divider h2:before {
            border-top:1px solid #B8B8B8;
      .divider h2:before {
      .divider h2:after {
      .verificationErrorText {
      .options div {
      .accountButton,.accountButton:hover {
      .accountButton {
            border:1px solid #FFF;
            transition:background-color 1s ease 0s;
      .accountButton:hover {
            border:1px solid #FFF;
            -moz-box-shadow:0 0 0;
            -webkit-box-shadow:0 0 0;
            box-shadow:0 0 0
      .accountButton:focus {
            outline:gold solid 1px
      #MicrosoftAccountExchange {
      #MicrosoftAccountExchange:hover {
      #GoogleExchange {
      #GoogleExchange:hover {
      #TwitterExchange {
      #TwitterExchange:hover {
      #FacebookExchange {
      #FacebookExchange:hover {
      #LinkedInExchange {
      #LinkedInExchange:hover {
      #AmazonExchange {

      #next {
            border:1px solid #FFF;
            transition:background 1s ease 0s;
      #next:hover {
            border:1px solid #FFF;
            box-shadow:0 0 0
      #next:hover,.accountButton:hover {
            -moz-box-shadow:0 0 0;
            -webkit-box-shadow:0 0 0;
            box-shadow:0 0 0;
    <div class=navbar navbar-inverse navbar-static-top role=navigation>
      <div class=container>
        <div class=navbar-header>
          <div class=visible-xs-block>
            {{ snippets[Mobile Header] }}
          <div class=visible-sm-block visible-md-block visible-lg-block navbar-brand>
            {{ snippets[Navbar Left] }}
    <div class=container>
      <div class=page-heading>
        <ul class=breadcrumb>
            <a href={{ request.url | base }} title=Home>Home</a>
          <li class=active>{{ page.title | h}}</li>
        {% include 'Page Header' %}
     <div class=row>
      <div class=col-md-12>
        {% include 'Page Copy' %}
        <div id=api></div>
    <footer role=contentinfo>
      <div class=footer-top hidden-print>
        <div class=container>
          <div class=row>
            <div class=col-md-6 col-sm-12 col-xs-12 text-left>
               {{ snippets[About Footer] }}
            <div class=col-md-6 col-sm-12 col-xs-12 text-right>
              <ul class=list-social-links>
                <li><a href=#><span class=sprite sprite-facebook_icon></span></a></li>
                <li><a href=#><span class=sprite sprite-twitter_icon></span></a></li>
                <li><a href=#><span class=sprite sprite-email_icon></span></a></li>
      <div class=footer-bottom hidden-print>
        <div class=container>
          <div class=row>
            <div class=col-md-4 col-sm-12 col-xs-12 text-left>
               {{ snippets[Footer] | liquid }}
            <div class=col-md-8 col-sm-12 col-xs-12 text-left >

Step 2: Create a page template

Create the following page template:

  • Name: Azure AD B2C Custom Page
  • Type: Web Template
  • Web Template: Azure AD B2C Custom Page
  • Use Website Header and Footer: Clear this check box

Step 3: Create a webpage

Create the following webpage:

  • Name: Sign-in
  • Parent Page: Home
  • Partial Url: azure-ad-b2c-sign-in
  • Page Template: Azure AD B2C Custom Page
  • Publishing State: Published

Step 4: Create site settings

Site settings are required to configure cross-origin resource sharing (CORS) to allow Azure AD B2C to request the custom page and inject the sign-in or sign-up user interface. Create the following site settings.

Name Value
HTTP/Access-Control-Allow-Methods GET, OPTIONS

For a complete list of other CORS settings, see CORS protocol support.

Step 5: Azure configuration

  1. Sign in to your Azure portal.
  2. Navigate to the Azure AD B2C Tenant Management blade.
  3. Navigate to Settings > Sign-up or sign-in policies. A list of available policies is displayed.
  4. Select the policy you want to edit.
  5. Select Edit.
  6. Select Edit policy > Page UI customization > Unified sign-up or sign-in page
  7. Set Use custom page to Yes.
  8. Set Custom page URI to the URL of the Azure AD B2C Custom Page webpage created in step 3 of this procedure. For example,
  9. Select OK.

Claims mapping

When users sign in, either for the first time or subsequently, the federated identity provider provides claims based on its database regarding the users' signing in. These claims are configurable in the identity provider.

Azure AD B2C email claims

Azure AD B2C sends the email claim as a collection. The portal accepts the first email provided in the collection as the primary email address of the contact.

Claims to support sign-up scenarios

When a new customer who does not exist in Common Data Service is provisioned, the inbound claims can be used to seed the new contact record that the portal will create. Common claims can include first and last name, email address, and phone number, but they are configurable. The following site setting is required:

Name: Authentication/OpenIdConnect/[Federation-Name]/RegistrationClaimsMapping

Description: List of logical name/claim pairs to be used to map claim values to attributes in the contact record created during registration.

Format: attribute1=claim1,attribute2=claim2,attribute3=claim3

For example: firstname=,lastname=,jobtitle=jobTitle


Ensure that you map the email address to the primary email (emailaddress1) of the contact. If you have added secondary email (emailaddress2) or alternate email (emailaddress3) to the contact record and mapped it to the email, identity information will not be added to the contact and a new one will be created with the email address used for registration set in the primary email (emailaddress1).

Claims to support sign-in scenarios

The data in Common Data Service and in the identity provider are not directly linked, so the data might get out of sync. The portal should have a list of claims that you want to accept from any sign-in event to update in Common Data Service. These claims can be a subset of, or equal to, the claims coming in from a sign-in scenario. This must be configured separately from sign-in claims mapping, because you might not want to overwrite some key portal attributes. The following site setting is required:

Name: Authentication/OpenIdConnect/[Federation-Name]/LoginClaimsMapping

Description: List of logical name/claim pairs to be used to map claim values to attributes in the contact record created after sign-in.

Format: attribute1=claim1, attribute2=claim2, attribute3=claim3

For example: firstname=,lastname=,jobtitle=jobTitle

The claim name is the CLAIM TYPE field listed next to the attribute in the sign-in policies Application claims.

Allow auto-association to a contact record based on email

Customers who have contact records with emails associated then launch a website where their external users will sign in with Azure AD B2C through an email validation mechanism. The new sign-in should be associated with the existing contact record instead of creating a duplicate record. This functionality only successfully maps a contact that does not have an active identity, and the email address must be unique (not related to multiple contact records). The following site settings are required:

Name: Authentication/[Protocol]/[Provider]/AllowContactMappingWithEmail

Description: Specifies whether contacts are mapped to a corresponding email. When set to true, this setting associates a unique contact record with a matching email address, and then automatically assigns the external identity provider to the contact after the user has successfully signed in. By default, it is set to false.

Name: Authentication/UserManager/UserValidator/RequireUniqueEmail

Description: Specifies whether a unique email address is needed for validating the user. When an existing contact email address is used to sign-in, the setting must be set to false. By default, it is set to true that may cause sign-in attempts to fail for contact records with email address already present.