This policy checks to see if the client id in the OpenID Connect authorization request is on an "allowed list" of applications ID's. If yes, the flow allows users to sign-in or sign-up. Otherwise a block page will be returned with a customizable error message.
To compare a sign-in with a blocked app and allowed app, follow these steps:
- Sign-up or sign-in with the B2C_1A_Demo_SignUp_SignIn_AppAllowList policy. The sign-up or sign-in link specifies the
client_idquery string parameter with2396ff18-2394-4d3b-8c7b-06e38f77d4b0. This app (client ID) is not listed in the allow list. So, the authorization requested will be blocked. - Sign-up or sign-in again with the B2C_1A_Demo_SignUp_SignIn_AppAllowList policy. This sign-up or sign-in link specifies the
client_idtocfaf887b-a9db-4b44-ac47-5efff4e2902c. This client ID is listed in the allow list. It allows you to complete the sign-up or sign-in process.
Key components of this B2C custom policy:
- User journey steps 1 and 2 checks if the calling application client id is allowed, and will block sign-in sign-up if not allowed.
- A block page that simply shows the "you cannot access this application" message to the user - the message can be customized.
- Use of a technical profile "checkIfAppIsAllowed" that collects the incoming client Id (using a claims resolver
{OIDC:ClientId}), and calls a claims transformation type LookUpValue, and returns true or false if the client Id is on the allow list.
To implement this use case follow the following steps;
- Ensure you have followed the "Get Started with custom policies" steps within the Microsoft documentation site.
- Change the references in the Policy from "yourtenant.onmicrosoft.com" to the name of your B2C Tenant.
- Update the ClaimsTransformation with Id="isAppAllowed" to reflect your list of allowed client id's. For more information about B2C claims transformations Microsoft Azure AD B2C Claims Transformation documentation.
- Upload and run your policy.
Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.
This sample policy is based on SocialAndLocalAccountsWithMFA starter pack However any of the starter pack policies should work for this. All changes are marked with Sample: comment inside the policy XML files. Make the necessary changes in the Sample action required sections.