Azure AD B2C - User Flows

This guide shows you how to configure a User Flow Policy in Azure AD B2C. After you have done this, you may configure Azure AD B2C OpenID Connect.

 

Azure AD B2C user flows and user policies may be complex. We cannot possibly cover all the options here, but will show some examples on what to configure.
It is recommended to use a standardized “User flow” if you can (see , but it’s possible for special requirement to configure custom policies (see https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-overview ).

 

Setting up a User Flow

 

1. New user flow

Navigate to Azure AD B2C > User flows, and select “New User flow”. Choose “Sign in” or “Sign up and sign in”.

 

Select the recommended flow.

2. Set up user flow

Give your user flow an appropriate name, choose what MFA policy you like, and select user attributes and claims. Select email addresses, given name, surname, display name and User’s Object ID to ensure that enough user data is provided to identify the user.

 

3. Configure and change claims

After your new flow has been created, select it and go to Application claims to verify that all the claims were selected. Here, make sure that email addresses, Given name, suname, display name and User’s Object ID are selected.

Custom policy

By default, a B2C user flow will not send the email attribute with the userinfo endpoint, or any data in the userinfo endpoint. To do this, you will have to configure a custom user policy. This requires some work.

First follow this guide to make your tenant ready to accept custom policies: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy. The most essential step here is to clone the starter pack:

 

git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack

In all of the files in the SocialAndLocalAccounts directory, replace the string yourtenant with the name of your Azure AD B2C tenant, so for our example, we hit a find-and-replace with yourtenant to kantegassob2c.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy

By default the email parameter is not added as claim to user response in Azure AD B2C.

Then you follow this guide to: https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy .

Add the email claim as an <OutputClaim> in the SignUpOrSigning policy file under SocialAndLocalAccounts:

Then you will in this starter pack be able to configure a profile for the userinfo endpoint. This Microsoft guide explains in more detail how to configure a userinfo endpoint: https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy


Uploading the custom policy

After you have configured the custom policy, navigate to the overview page of Azure AD B2C. Select Identity Experience Framework in the left menu.

Under Identity Experience Framework, click the “Upload custom policy” button, and choose the SignUpOrSigning policy configured in the prevous steps.

 

You might encounter issues uploading the custom policy. If so, this automated tool helps you deploy the starterpack: https://b2ciefsetupapp.azurewebsites.net. Read more about custom policies in Microsoft’s guide:

Azure Active Directory B2C custom policy overview