public key by Juicy Fish from the Noun Project

There’s a good article on id_token_hint on .

I did a post on this.

Basically, you pass information e.g. a username into B2C inside a signed JWT. The JWT is signed by a certificate.

B2C checks the JWT signature by accessing an Azure app service that contains a…

Image of generic browser error
Error by Graphic Enginer from the Noun Project

Exceptions and errors in B2C when using custom policies are logged using .

As I have encountered exceptions, I have documented how I have searched for the actual cause.

Note that these are the error messages displayed in the browser.

I will keep adding cases to this post as…

Multi factor by Nithinan Tatah from the Noun Project

By proofing up, I mean enabling MFA on the user’s login.

I’ve been involved with a number of companies who have gone through this exercise. Every one has had problems. Users don’t read the instructions and get confused. Support has to get involved.

The instructions say:

“Do this on your…

Sample by franc11s from the Noun Project

There are a lot of custom policy samples scattered all over the Internet so I thought I would try and collate them in one place

Invariably, the links will change and break. Please report these in the comments. Also, please report any others that you think should be added.


Key by Adrien Coquet from the Noun Project

PKCE (Proof Key for Code Exchange) is described .

From the official :

“PKCE () is an extension to the to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.”

This is particularly useful for…

password by Gregor Cresnar from the Noun Project

There’s a write up on using .NET Core to access the B2C Graph API.

It gives you the following commands:

Command  Description
[1] Get all users (one page)
[2] Get user by object ID
[3] Get…

There is reference code for the SCIM endpoint and a Wiki .

is a standardized definition of two endpoints — a /Users endpoint and a /Groups endpoint. Using common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username…

Authentication by Vectors Market from the Noun Project

Note: This is a PoC that you should use as a guide. The code is not Production ready and you use it at your own risk.

A number of people have asked me if B2C can use another repository for authentication e.g. …

cloud compare by iconeu from the Noun Project

There’s a gotcha with this when you use “ClaimEquals” with B2C custom policies.

Assume you have a claim that you read from B2C e.g. extension_ClaimInB2C and the user types some text into a TextBox e.g. ClaimFromTB and you want to compare the two in a user journey.

Both are defined…

Secret account by Wolf Böse from the Noun Project

This was a request from a customer and on googling it, I found there was nothing!

This could be because secret Q&A are not very secure and have pretty much been deprecated as a security feature.

But sometimes it’s all you have as an option.

NZ is an agricultural country…

Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: Presentations:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store