Configure the Azure Active Directory B2C provider manually

Note

• Effective October 2022, Power Apps portals is Power Pages.
• This topic applies to legacy capabilities. For latest information, go to Microsoft Power Pages documentation.

This article describes how to configure Azure AD B2C as the identity provider manually. Use these steps to manually create a new Azure AD B2C tenant, register the application, and configure user flows.

Note

• If you want to configure the Azure AD B2C provider automatically by using Power Apps portals, go to Configure Azure AD B2C provider.
• Changes to the authentication settings might take a few minutes to be reflected on the portal. If you want the changes to be reflected immediately, restart the portal by using portal actions.

To configure Azure Active Directory B2C as the OpenID Connect provider manually

1. Select Configure for Azure Active Directory B2C. More information: Configure a provider

   

2. If necessary, update the name.

3. Select Skip to manual configuration.

   

   Note

   Selecting Next instead of Skip to manual configuration takes you to configure the Azure AD B2C authentication by using the Power Apps portals interface.

4. In this step, you create the application and configure the settings with your identity provider.

   

   1. Sign in to your Azure portal.

   2. Create a Azure AD B2C tenant.

   3. Register an application in your tenant.

      1. Search for and select Azure Active Directory B2C.

      2. Under Manage, select App registrations.

      3. Select New registration.

         

      4. Enter a name.

      5. Under Redirect URI, select Web (if it isn't selected already).

      6. In the Redirect URI text box, enter the Reply URL for your portal.
         Example: https://contoso-portal.powerappsportals.com/signin-aad-b2c_1

         Note

         If you're using the default portal URL, copy and paste the Reply URL as shown in the Create and configure B2C tenant in Azure section on the Configure identity provider screen (step 4 above). If you're using a custom domain name for the portal, enter the custom URL. Be sure to use this value when you configure the Redirect URL in your portal settings while configuring the Azure AD B2C provider.
         For example, if you enter the Reply URL in Azure portal as https://contoso-portal.powerappsportals.com/signin-aad-b2c_1, you must use it as-is for the Azure AD B2C configuration in portals.

         

      7. Select Register.

      8. On the left pane, under Manage, select Authentication.

         

      9. Under Implicit grant, select the Access tokens (used for implicit flows) check box.

      10. Select Save.

   4. Create a sign-up and sign-in user flow. Optionally, you can create a password reset user flow.

   5. Configure token compatibility by using an Issuer (iss) claim URL that includes tfp. More information: Token compatibility

      

5. In this step, you enter site settings and password reset settings for the portal configuration.

   

   1. In the Configure site settings section, enter the following values:

      • Authority: Enter the issuer URL defined in the metadata of the sign-up and sign-in policy user flow.​
        To get the issuer URL

        1. Open the sign-up and sign-in user flow you created earlier. For this step, you need to go to the Azure AD B2C tenant on the Azure portal.

           

        2. Select Run user flow.

           

        3. Select the OpenID configuration URL to open in a new browser window or tab.

           

           The URL refers to the OpenID Connect identity provider configuration document, also known as the OpenID well-known configuration endpoint.

        4. Copy the URL of the Issuer from the new browser window or tab.

           

           Ensure that you copy only the URL, without the quotation marks ("").
           For example, https://contosoorg.b2clogin.com/tfp/799f7b50-f7b9-49ec-ba78-67eb67210998/b2c_1_contoso/v2.0/

           Tip

           Ensure that the Issuer (iss) claim URL includes tfp.

      • Client ID​: Enter the Application ID of the Azure AD B2C application you created earlier.

      • Redirect URI: Enter the portal URL.
        You only need to change the redirect URI if you're using a custom domain name.

   2. In the Password reset settingssection, enter the following values:

      • Default policy ID: Enter the name of the sign-up and sign-in user flow you created earlier. The name is prefixed with B2C_1.

      • Password reset policy ID: Enter the name of the password reset user flow you created earlier. The name is prefixed with B2C_1.

      • Valid issuers: Enter a comma-delimited list of issuer URLs for the sign-up and sign-in user flow, and password reset user flow, you created earlier.
        To get the issuer URLs for the sign-up and sign-in user flow, and the password reset user flow, open each flow and then follow the steps under Authority, in step 5a earlier in this article.

6. In this step, you have the option of configuring additional settings for the Azure AD B2C identity provider.

   

   • Registration claims mapping​: Not required if using email, first name, or last name attributes. For additional attributes, enter a list of logical name/claim pairs to be used to map claim values returned from Azure AD B2C (created during sign-up) to attributes in the contact record.
     Format: field_logical_name=jwt_attribute_name, where field_logical_name is the logical name of the field in portals and jwt_attribute_name is the attribute with the value returned from the identity provider.
     For example, if you've enabled Job Title (jobTitle) and Postal Code (postalCode) as User Attributes in your user flow, and you want to update the corresponding Contact table fields Job Title (jobtitle) and Address 1: ZIP / Postal Code (address1_postalcode), enter the claims mapping as jobtitle=jobTitle,address1_postalcode=postalCode.

   • Login claims mapping: Not required if using email, first name, or last name attributes. For additional attributes, enter a list of logical name/claim pairs to be used to map claim values returned from Azure AD B2C after sign-in to the attributes in the contact record.
     Format: field_logical_name=jwt_attribute_name where field_logical_name is the logical name of the field in portals, and jwt_attribute_name is the attribute with the value returned from the identity provider.
     For example, if you've enabled Job Title (jobTitle) and Postal Code (postalCode) as Application Claims in your user flow, and you want to update the corresponding Contact table fields Job Title (jobtitle) and Address 1: ZIP / Postal Code (address1_postalcode), enter the claims mapping as jobtitle=jobTitle,address1_postalcode=postalCode.

   • External logout: Choose whether to enable or disable federated sign-out:

     • Select On to redirect users to the federated sign-out user experience when they sign out from the portal.
     • Select Off to simply sign users out from the portal.

   • Contact mapping with email: Specify whether contacts are mapped to a corresponding email. Turn on this toggle to associate a unique contact record with a matching email address and then automatically assign the external identity provider to the contact after the user successfully signs in.

   • Registration enabled:- Turn open registration for your portal on or off. Turning off this toggle disables and hides external account registration.

7. Select Confirm to view a summary of your settings and complete the identity provider configuration.

See also

Migrate identity providers to Azure AD B2C