Azure AD B2C: Frequently asked questions (FAQ)

This page answers frequently asked questions about the Azure Active Directory B2C (Azure AD B2C). Keep checking back for updates.

Microsoft Entra External ID preview

What is Microsoft Entra External ID?

We have released our next generation Microsoft Entra External ID product which combines powerful solutions for working with people outside of your organization. With External ID capabilities, you can allow external identities to securely access your apps and resources. Whether you’re working with external partners, consumers, or business customers, users can bring their own identities. These identities can range from corporate or government-issued accounts to social identity providers. For more information, see Introduction to Microsoft Entra External ID

How does this preview affect me?

No action is required on your part at this time. We remain fully committed to supporting your current Azure AD B2C solution. There are no requirements for Azure AD B2C customers to migrate at this time and no plans to discontinue the current Azure AD B2C service.

General

Why can't I access the Azure AD B2C extension in the Azure portal?

There are two common reasons for why the Microsoft Entra extension isn't working for you. Azure AD B2C requires your user role in the directory to be a global administrator. Contact your administrator if you think you should have access. If you have global administrator privileges, make sure that you are in an Azure AD B2C directory and not a Microsoft Entra directory. You can see instructions for creating an Azure AD B2C tenant.

Can I use Azure AD B2C features in my existing, employee-based Microsoft Entra tenant?

Microsoft Entra ID and Azure AD B2C are separate product offerings. To use Azure AD B2C features, create a separate Azure AD B2C tenant from your existing employee-based Microsoft Entra tenant. A Microsoft Entra tenant represents an organization. An Azure AD B2C tenant represents a collection of identities to be used with relying party applications. By adding New OpenID Connect provider under Azure AD B2C > Identity providers or with custom policies, Azure AD B2C can federate to Microsoft Entra ID allowing authentication of employees in an organization.

What are local accounts in Azure AD B2C? How are they different from work or school accounts in Microsoft Entra ID?

In a Microsoft Entra tenant, users that belong to the tenant sign in with an email address of the form <xyz>@<tenant domain>. The <tenant domain> is one of the verified domains in the tenant or the initial <...>.partner.onmschina.cn domain. This type of account is a work or school account.

In an Azure AD B2C tenant, most apps want the user to sign in with any arbitrary email address (for example, joe@comcast.net, bob@gmail.com, sarah@contoso.com, or jim@live.com). This type of account is a local account. We also support arbitrary user names as local accounts (for example, joe, bob, sarah, or jim). You can choose one of these two local account types when configuring identity providers for Azure AD B2C in the Azure portal. In your Azure AD B2C tenant, select Identity providers, select Local account, and then select Username.

User accounts for applications can be created through a sign-up user flow, sign-up or sign-in user flow, the Microsoft Graph API, or the Azure portal.

How many users can an Azure AD B2C tenant accommodate?

  • By default, each tenant can accommodate a total of 1.25 million objects (user accounts and applications), but you can increase this limit to 5.25 million objects when you add and verify a custom domain. If you want to increase this limit, please contact Microsoft Support. However, if you created your tenant before September 2022, this limit doesn't affect you, and your tenant will retain the size allocated to it at creation, that's, 50 million objects.

Which social identity providers do you support now? Which ones do you plan to support in the future?

We currently support several social identity providers including GitHub (preview), QQ (preview), WeChat (preview), and Weibo (preview). We evaluate adding support for other popular social identity providers based on customer demand.

Azure AD B2C also supports custom policies. Custom policies allow you to create your own policy for any identity provider that supports OpenID Connect or SAML. Get started with custom policies by checking out our custom policy starter pack.

I'm using ADFS as an identity provider in Azure AD B2C. When I try to initiate a sign-out request from Azure AD B2C, ADFS shows the error *MSIS7084: SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding*. How do I resolve this issue?

On the ADFS server, run: Set-AdfsProperties -SignedSamlRequestsRequired $true. This will force Azure AD B2C to sign all requests to ADFS.

Does my application have to be run on Azure for it to work with Azure AD B2C?

No, you can host your application anywhere (in the cloud or on-premises). All it needs to interact with Azure AD B2C is the ability to send and receive HTTP requests on publicly accessible endpoints.

I have multiple Azure AD B2C tenants. How can I manage them on the Azure portal?

Before opening Azure AD B2C service in the Azure portal, you must switch to the directory you want to manage. Select the Settings icon in the top menu to switch to the directory you want to manage from the Directories + subscriptions menu.

Why am I unable to create an Azure AD B2C tenant?

You might not have permission to create an Azure AD B2C tenant. Only users with Global administrator or Tenant Creator roles can create the tenant. You need to contact your Global administrator.

How do I customize verification emails (the content and the "From:" field) sent by Azure AD B2C?

You can use the company branding feature to customize the content of verification emails. Specifically, these two elements of the email can be customized:

  • Banner logo: Shown at the bottom-right.

  • Background color: Shown at the top.

    Screenshot of a customized verification email

The email signature contains the Azure AD B2C tenant's name that you provided when you first created the Azure AD B2C tenant. You can change the name using these instructions:

  1. Sign in to the Azure portal as the Global Administrator.
  2. Open the Microsoft Entra ID blade.
  3. Select the Properties tab.
  4. Change the Name field.
  5. Select Save at the top of the page.

Currently, you can’t change the "From:" field on the email.

Tip

With Azure AD B2C custom policy, you can customize the email Azure AD B2C sends to users, including the "From:" field on the email. The custom email verification requires the use of a third-party email provider like Mailjet or SendGrid.

How can I migrate my existing user names, passwords, and profiles from my database to Azure AD B2C?

You can use the Microsoft Graph API to write your migration tool. See the User migration guide for details.

What password user flow is used for local accounts in Azure AD B2C?

The Azure AD B2C password user flow for local accounts is based on the policy for Microsoft Entra ID. Azure AD B2C's sign-up, sign-up or sign-in and password reset user flows use the "strong" password strength and don't expire any passwords. For more information, see Password policies and restrictions in Microsoft Entra ID.

Can I use Microsoft Entra Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?

No, Microsoft Entra Connect isn't designed to work with Azure AD B2C. Consider using the Microsoft Graph API for user migration. See the User migration guide for details.

Does Azure AD B2C work with CRM systems such as Microsoft Dynamics?

Integration with Microsoft Dynamics 365 Portal is available. See Configuring Dynamics 365 Portal to use Azure AD B2C for authentication.

Does Azure AD B2C work with SharePoint on-premises 2016 or earlier?

Azure AD B2C isn't meant for the SharePoint external partner-sharing scenario; see Microsoft Entra B2B instead.

Should I use Azure AD B2C or B2B to manage external identities?

Read Compare solutions for External Identities to learn more about applying the appropriate features to your external identity scenarios.

What reporting and auditing features does Azure AD B2C provide? Are they the same as in Microsoft Entra ID P1 or P2?

No, Azure AD B2C doesn't support the same set of reports as Microsoft Entra ID P1 or P2. However, there are many commonalities:

  • Sign-in reports provide a record of each sign-in with reduced details.
  • Audit reports include both admin activity and application activity.
  • Usage reports include the number of users, number of logins, and volume of MFA.

Can I localize the UI of pages served by Azure AD B2C? What languages are supported?

Yes, see language customization. We provide translations for 36 languages, and you can override any string to suit your needs.

How do I delete my Azure AD B2C tenant?

Follow these steps to delete your Azure AD B2C tenant.

You can use our new unified App registrations experience or our legacy Applications (Legacy) experience. Learn more about the new experience.

  1. Sign in to the Azure portal as the Subscription Administrator. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
  2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Settings icon in the portal toolbar.
  3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
  4. In the left menu, select Azure AD B2C. Or, select All services and search for and select Azure AD B2C.
  5. Delete all User flows (policies) in your Azure AD B2C tenant.
  6. Delete all Identity Providers in your Azure AD B2C tenant.
  7. Select App registrations, then select the All applications tab.
  8. Delete all applications that you registered.
  9. Delete the b2c-extensions-app.
  10. Under Manage, select Users.
  11. Select each user in turn (exclude the Subscription Administrator user you're currently signed in as). Select Delete at the bottom of the page and select Yes when prompted.
  12. Select Microsoft Entra ID on the left-hand menu.
  13. Under Manage, select Properties
  14. Under Access management for Azure resources, select Yes, and then select Save.
  15. Sign out of the Azure portal and then sign back in to refresh your access.
  16. Select Microsoft Entra ID on the left-hand menu.
  17. On the Overview page, select Delete tenant. Follow the on-screen instructions to complete the process.

Can I get Azure AD B2C as part of the Enterprise Mobility Suite?

No, Azure AD B2C is a pay-as-you-go Azure service and isn't part of Enterprise Mobility Suite.

Can I purchase Microsoft Entra ID P1 and Microsoft Entra ID P2 licensing for my Azure AD B2C tenant?

No, Azure AD B2C tenants don't use Microsoft Entra ID P1 or Microsoft Entra ID P2 licensing. Azure AD B2C uses Azure AD B2C Premium P1 or P2 licenses, which are different from Microsoft Entra ID P1 or P2 licenses for a Standard Microsoft Entra tenant. Azure AD B2C tenants natively support some features that are similar to Microsoft Entra ID P1 or P2 features, as explained in Supported Microsoft Entra ID features.

Can I use a group-based assignment for Microsoft Entra Enterprise Applications in my Azure AD B2C tenant?

I am using rolling refresh tokens for my application and I am getting an invalid_grant error on redeeming newly acquired refresh tokens well within their set validity period. Why does this happen?

While determining validity for rolling refresh tokens, B2C will consider the initial login time of the user in the application also to calculate the token validity skew. If the user haven't logged out of the application for a very long time, this skew value will exceed the validity period of the token and hence for security reasons the tokens will be considered as invalid. Hence the error. Inform the user to perform a proper logout and login back into the application and this should reset the skew. This scenario is not applicable if refresh token rolling is set as infinite rolling.

I've revoked the refresh token using Microsoft Graph invalidateAllRefreshTokens, or Microsoft Graph PowerShell, Revoke-MgUserSignInSession. Why is Azure AD B2C still accepting the old refresh token?

In Azure AD B2C, if the time difference between refreshTokensValidFromDateTime and refreshTokenIssuedTime is less than or equal to 5 minutes, the refresh token is still considered valid. However, if the refreshTokenIssuedTime is greater than the refreshTokensValidFromDateTime, then the refresh token is revoked. Follow the following steps to check if the refresh token is valid or revoked:

  1. Retrieve the RefreshToken and the AccessToken by redeeming authorization_code.

  2. Wait for 7 minutes.

  3. Use Microsoft Graph PowerShell cmdlet Revoke-MgUserSignInSession or Microsoft Graph API invalidateAllRefreshTokens to run the RevokeAllRefreshToken command.

  4. Wait for 10 minutes.

  5. Retrieve the RefreshToken again.

Tip

With Azure AD B2C custom policy, you can reduce the above mentioned skew time of 5 minutes (300000 milliseconds) by adjusting the value for InputParameter "TreatAsEqualIfWithinMillseconds" under claim transformation Id "AssertRefreshTokenIssuedLaterThanValidFromDate". This claim transformation can be found in the TrustFrameworkBase.xml file under latest custom policy stater-pack.

I use multiple tabs in a web browser to sign in to multiple applications that I registered in the same Azure AD B2C tenant. When I try to perform a single sign-out, not all of the applications are signed out. Why does this happen?

Currently, Azure AD B2C doesn't support single sign-out for this specific scenario. It's caused by cookie contention as all the applications operate on the same cookie simultaneously.