Developer notes for Azure Active Directory B2C
Azure Active Directory B2C user flows and custom policies are generally available. Azure AD B2C capabilities are under continual development, so although most features are generally available, some features are at different stages in the software release cycle. This article discusses cumulative improvements in Azure AD B2C and specifies feature availability.
Terms for features in public preview
We encourage you to use public preview features for evaluation purposes only.
Service level agreements (SLAs) don't apply to public preview features.
Support requests for public preview features can be submitted through regular support channels.
Feature availability
| Feature | User flow | Custom policy | User flow in China | Custom policy in China | Notes |
|---|---|---|---|---|---|
| Sign-up and sign-in with email and password. | GA | GA | GA | GA | |
| Sign-up and sign-in with username and password. | GA | GA | GA | GA | |
| Profile editing flow | GA | GA | GA | GA | |
| Self-Service password reset | GA | GA | GA | GA | |
| Force password reset | GA | GA | NA | GA | |
| Phone sign-up and sign-in | GA | GA | NA | GA | |
| Smart lockout | GA | GA | NA | NA | |
| Conditional Access | GA | GA | NA | Limited availability | Not available for SAML applications. |
| Identity Protection | GA | GA | NA | NA | |
| CAPTCHA | Preview | Preview | NA | NA | You can enable it during sign-up or sign-in for Local accounts. |
OAuth 2.0 application authorization flows
The following table summarizes the OAuth 2.0 and OpenId Connect application authentication flows that can be integrated with Azure AD B2C.
| Feature | User flow | Custom policy | Notes |
|---|---|---|---|
| Authorization code | GA | GA | Allows users to sign in to web applications. The web application receives an authorization code. The authorization code is redeemed to acquire a token to call web APIs. |
| Authorization code with PKCE | GA | GA | Allows users to sign in to mobile and single-page applications. The application receives an authorization code using proof key for code exchange (PKCE). The authorization code is redeemed to acquire a token to call web APIs. |
| Client credentials flow | Preview | Preview | Allows access web-hosted resources by using the identity of an application. Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. |
| Device authorization grant | NA | NA | Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. |
| Implicit flow | GA | GA | Allows users to sign in to single-page applications. The app gets tokens directly without performing a back-end server credential exchange. Note: The recommended flow for supporting SPAs is OAuth 2.0 Authorization code flow (with PKCE). |
| On-behalf-of | NA | NA | An application invokes a service or web API, which in turn needs to call another service or web API. For the middle-tier service to make authenticated requests to the downstream service, pass a client credential token in the authorization header. Optionally, you can include a custom header with the Azure AD B2C user's token. |
| OpenId Connect | GA | GA | OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user. |
| OpenId Connect hybrid flow | GA | GA | Allows a web application retrieve the ID token on the authorize request along with an authorization code. |
| Resource owner password credentials (ROPC) | GA | GA | Allows a mobile application to sign in the user by directly handling their password. |
| Sign-out | GA | GA | |
| Single sign-out | NA | Preview |
OAuth 2.0 options
| Feature | User flow | Custom policy | Notes |
|---|---|---|---|
| Redirect sign-in to a social provider | GA | GA | Query string parameter domain_hint. |
| Prepopulate the sign-in name | GA | GA | Query string parameter login_hint. |
Insert JSON into user journey via client_assertion |
NA | Deprecated | |
| Insert JSON into user journey as id_token_hint | NA | GA | |
| Pass identity provider token to the application | Preview | Preview | |
| Keep me signed in (KMSI) | GA | GA |
SAML2 application authentication flows
The following table summarizes the Security Assertion Markup Language (SAML) application authentication flows that can be integrated with Azure AD B2C.
| Feature | User flow | Custom policy | Notes |
|---|---|---|---|
| SP initiated | NA | GA | POST and Redirect bindings. |
| IDP initiated | NA | GA | Where the initiating identity provider is Azure AD B2C. |
User experience customization
| Feature | User flow | Custom policy | Notes |
|---|---|---|---|
| Multi-language support | GA | GA | Available in China cloud, but only for custom policies. |
| Customize the user interface with built-in templates | GA | GA | |
| Customize the user interface with custom templates | GA | GA | By using HTML templates. |
| Page layout version | GA | GA | Available in China cloud, but only for custom policies. |
| JavaScript | GA | GA | Available in China cloud, but only for custom policies. |
| Password complexity | GA | GA | Available in China cloud, but only for custom policies. |
| Disable email verification | GA | GA | Not recommended for production environments. Disabling email verification in the sign-up process may lead to spam. |
Identity providers
| Feature | User flow | Custom policy | Notes |
|---|---|---|---|
| AD FS | NA | GA | |
| Apple | GA | GA | Available in China cloud, but only for custom policies. |
| Microsoft Entra ID (Single-tenant) | GA | GA | |
| Microsoft Entra ID (multitenant) | NA | GA | |
| Azure AD B2C | GA | GA | |
| eBay | NA | Preview | |
| GitHub | Preview | GA | |
| ID.me | GA | GA | |
| Preview | GA | ||
| Salesforce | GA | GA | |
| Salesforce (SAML protocol) | NA | GA | |
| Preview | GA | Available in China cloud, but only for custom policies. | |
| Preview | GA |
Generic identity providers
| Feature | User flow | Custom policy | Notes |
|---|---|---|---|
| OAuth2 | NA | GA | |
| OAuth1 | NA | GA | |
| OpenID Connect | GA | GA | For example, Microsoft Entra ID. |
| SAML2 | NA | GA | For example, Salesforce and AD-FS. |
| WSFED | NA | NA |
Custom policy features
Session management
| Feature | Custom policy | Notes |
|---|---|---|
| Default SSO session provider | GA | Available in China cloud, but only for custom policies. |
| External login session provider | GA | Available in China cloud, but only for custom policies. |
| SAML SSO session provider | GA | Available in China cloud, but only for custom policies. |
| OAuth SSO Session Provider | GA | Available in China cloud, but only for custom policies. |
Components
| Feature | Custom policy | Notes |
|---|---|---|
| Phone factor authentication | GA | Available in China cloud, but only for custom policies. |
| Microsoft Entra multifactor authentication authentication | GA | |
| One-time password | GA | |
| Microsoft Entra ID as local directory | GA | |
| Predicate validations | GA | For example, password complexity. |
| Display controls | GA | |
| Sub journeys | GA |
Developer interface
| Feature | Custom policy | Notes |
|---|---|---|
| Azure portal | GA | |
| Application Insights user journey logs | Preview | Used for troubleshooting during development. |
| Application Insights event logs | Preview | Used to monitor user flows and custom policies in production. |
Responsibilities of custom policy feature-set developers
Manual policy configuration grants lower-level access to the underlying platform of Azure AD B2C and results in the creation of a unique, trust framework. The many possible permutations of custom identity providers, trust relationships, integrations with external services, and step-by-step workflows require a methodical approach to design and configuration.
Developers consuming the custom policy feature set should adhere to the following guidelines:
- Become familiar with the configuration language of the custom policies and key/secrets management. For more information, see TrustFrameworkPolicy.
- Take ownership of scenarios and custom integrations. Document your work and inform your live site organization.
- Perform methodical scenario testing.
- Follow software development and staging best practices. A minimum of one development and testing environment is recommended.
- Stay informed about new developments from the identity providers and services you integrate with. For example, keep track of changes in secrets and of scheduled and unscheduled changes to the service.
- Set up active monitoring, and monitor the responsiveness of production environments. For more information about integrating with Application Insights, see Azure Active Directory B2C: Collecting Logs.
- Keep contact email addresses current in the Azure subscription, and stay responsive to the Microsoft live-site team emails.
- Take timely action when advised to do so by the Microsoft live-site team.
Next steps
- Check the Microsoft Graph operations available for Azure AD B2C.
- Learn more about custom policies and the differences with user flows.