- Visual Studio Code. Recommendation: Set File->Auto Save to On in Visual Studio Code
- B2C Extensions
- An xml handling extension, e.g. Red Hat Xml
- (Optionally) make sure your VSCode settings.json file includes the following xml file association
"xml.fileAssociations": [
{
"pattern": "**.xml",
"systemId": "https://raw.githubusercontent.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/master/TrustFrameworkPolicy_0.3.0.0.xsd"
}
],
- PowerShell 7.x
- IefPolicies, documentation
- SAML2 test ServiceProvider. Register an app in your B2C with this apps issuer id and rely url
If you have access to Github codespaces, copy the devcontainer folder into the root of your project. This codespace is configured as per above section.
- Register a web app (Token Viewer) with reply url https://oidcdebugger.com/debug; allow return of the access and id token in the Authentication tab
- Create a user (Users->New user->Create user) with B2C's upn, e.g. someuser@myb2c.onmicrosoft.com - useful for experiemnting with MS Graph through the Graph Explorer.
- Using Invite user to add your corporate users who will manage B2C development. Give them Global Admin privilege (or other needed for their functions in B2C).
- Use B2C Setup tool to initialize B2C for IEF use.
- Open VSCode
- Select Terminal->New Terminal
- Ensure your PowerShell terminal is using PS 7.x ($host.Version)
- Create a new folder and change to it (e.g. mkdir myProject; cd myProject)
- Enter New-IefPolicies
- Select a starter pack, e.g. SL (Social and local accounts)
- Enter Connect-IefPolicies <your b2c name; onmicrosoft.com not needed>
- Followe displayed instructions to sign in
- Enter Import-IefPolicies
- The downloaded starter pack will be modified for use in your B2C and uploaded (you can see the modified files in the ./debug folder)
- Use https://portal.azure.com B2C menus to execute your policies
- Repeating import-iefpolicies will upload policies modified since the last import and any policies depending on it, e.g. modifying the TrustFrameworkBase.xml policy will result in import of all policies since they are all based on that file.
Name | Description |
---|---|
AllInOne | Allow profile edit during signin or password reset |
AppRoles | Support for application roles using standard AAD features |
Batch migration | Batch user creation with email to reset pwd using login_hint |
B2CSendOTPWithO365 | Send email OTP using O365 |
CallGraph | Call a Graph API |
ChangeEmail | Change signin email address of an exisiting user |
CheckEmail | Prevents users from signing up or in using emails with specific email domains |
Choose 2nd FA | User can choose whether to use enail OTP, phone OTP/sms/call or MS Authenticator TOTP |
ConditionalAccess | Prevents users from signing up or in using emails with specific email domains |
ContinueOnOTPVerified | UI continues to new password screen as soon as OTP is verified. Continue button is not used. |
Claims encryption | Supports encryption/decryption of claims in a token |
Custom, persisted attribute | Modifies starter pack to add support for a new, persisted custom user attribute |
Custom token refresh | Uses REST function to validate token expiry time |
EmailOrUserId | Allow users to signup with both an email and a user id and user either to signin later on |
EmailOrPhoneMFA | Allows local users to use either their email or phone for 2nd FA |
Email OTP with reCaptch V3 | Supports signin with just OTP to user email (no pwd). Uses Google reCaptcha |
Embedded pwd reset | Journeys embedding pwd reset functionality as user selectable option |
HRD | Redirects user to configured IdP (AAD or other) if user's email domain is supported by a configured IdP |
IdTokenSelfHint | Allows long-running native apps to initiate profile edit without needing to re-authenticate user |
Invite | Create/use an invitation link using client_assertion request |
JIT Migrate | Migrate users using an API to verify their legacy passwords |
MultiTenant | Supports use of a single B2C tenant to support a muli-tenant SaaS application |
PromptForToAAD | Passes whatever prompt parameter was used with B2C to a federated AAD. |
RefreshToken | Rejects refresh token exchange if user requested its revocation |
SamlIdP | Invite B2C users as B2B users in an Azure AD |
Step up MFA | Require MFA even if recently executed |
TOTP | Add Authenticator/TOTP |
UseUserInfoforEmailClaim | Invite B2C users as B2B users in an Azure AD |
Date | Change |
---|---|
Sep 2021 | New: Federate B2C as IdP for AAD (Direct Federation) |
Sep 2021 | New: JIT Migration |
Sep 2021 | Change: Simplified Invitation sample |
Oct 2021 | Change: Added PS script to assign group to app role in B2C (AppRoles sample) |
Oct 2021 | Change: Invitation sample supports local-only or federated-only accounts |
Oct 2021 | New: Conditional Access |
Nov 2021 | New: Persisted custom attribute |
Dec 2021 | New: Optionally, allow profile edit during signin |
Dec 2021 | Change: Multitenant sample now uses a new SPA app and updated policies and REST functions |
Feb 2022 | New: Use AAD userinfo endpoint to get user's email address (in case AAD does not return it in the id_token) |
Feb 2022 | New: Claims encryption |
Mar 2022 | New: Step up MFA |
Mar 2022 | Fixed: Refresh token |
Jun 2022 | New: batch migration |
Nov 2022 | New: user choice of 2nd FA |
Mar 2023 | New: call Graph |
Jun 2023 | New: embedded pwd reset |
Use DisplayCntrols starter pack and the following override:
<DisplayControl Id="emailVerificationControl2" UserInterfaceControlType="VerificationControl">
<Actions>
<Action Id="SendCode">
<ValidationClaimsExchange>
<ValidationClaimsExchangeTechnicalProfile TechnicalProfileReferenceId="AAD-UserReadUsingEmailAddress" />
</ValidationClaimsExchange>
</Action>
</Actions>
</DisplayControl>