password by Gregor Cresnar from the Noun Project

There’s a write up here on using .NET Core to access the B2C Graph API.

It gives you the following commands:

Command  Description
====================
[1] Get all users (one page)
[2] Get user by object ID
[3] Get user by sign-in name
[4] Delete user by object ID
[5] Update user password
[6] Create users (bulk import)
[7] Create user with custom attributes and show result
[8] Get all users (one page) with custom attributes
[help] Show available commands
[exit] Exit the program

All well and good except for option 5- change password.

It gives you a null object error…


There is reference code for the SCIM endpoint here and a Wiki here.

SCIM is a standardized definition of two endpoints — a /Users endpoint and a /Groups endpoint. Using common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username, first name, last name and email, apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API.”

The sample has two projects:


Authentication by Vectors Market from the Noun Project

Note: This is a PoC that you should use as a guide. The code is not Production ready and you use it at your own risk.

A number of people have asked me if B2C can use another repository for authentication e.g. a SQL DB so I thought I would have a crack at it using a custom policy.

I’m using an Azure Function to do the authentication. In the real world, this is where you would do the actual authentication but for the purposes of the post, I’m just using canned credentials.

The username can be anything but the…


cloud compare by iconeu from the Noun Project

There’s a gotcha with this when you use “ClaimEquals” with B2C custom policies.

Assume you have a claim that you read from B2C e.g. extension_ClaimInB2C and the user types some text into a TextBox e.g. ClaimFromTB and you want to compare the two in a user journey.

Both are defined as strings.

Assume ClaimInB2C = “aaa” and the user types in “aaa” ( = ClaimFromTB).

So something like this is the user journey:

<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>extension_ClaimInB2C</Value>
<Value>ClaimFromTB</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>

This will not be equal!!!

<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>extension_ClaimInB2C</Value>
<Value>aaa</Value>
<Action>SkipThisOrchestrationStep</Action>
</Precondition>

This will be equal!!!

So “canned” values are…


Secret account by Wolf Böse from the Noun Project

This was a request from a customer and on googling it, I found there was nothing!

This could be because secret Q&A are not very secure and have pretty much been deprecated as a security feature.

But sometimes it’s all you have as an option.

NZ is an agricultural country and agriculture and tourism are its biggest income earners. (Well, tourism not so much at the moment 😢)

So we get lots of seasonal and itinerant workers who go from farm to farm picking fruit, pruning the grape vines or whatever.

Some of them have no email address and don’t…


Birds by Laymik from the Noun Project

As most of you know, ADAL is being deprecated.

“Starting June 30th, 2020, we will no longer add new features to ADAL. We’ll continue adding critical security fixes to ADAL until June 30th, 2022. After this date, your apps using ADAL will continue to work, but we recommend upgrading to MSAL to take advantage of the latest features and to stay secure.

Note that your existing apps will continue working without modification. …


Typically you’ll have a RelyingParty (RP) custom policy that inherits from an extension policy that inherits from a base policy.

This is the way the starter pack is built.


Normally, you would login with an email address but you can also login with a username which is essentially any string of characters e.g. “123456”.

In built in policies, you can configure this on the identity provider but note that this is tenant wide.


This endpoint is part of the OAuth2 specification.

The base article is here.

Following the article, I created a Web application as follows:


This is based on this sample.

Note: there are other phone samples in the samples pack.

This sample shows how to sign up and sign in with a phone.

When you SUSI, you select the country from a drop-down list of country codes and then enter the phone number. An OTP is then sent to the phone that you have to enter to confirm that you own the phone.

This is fine in normal use but I have come across two problems in certain scenarios:

  • The county codes in the custom policy are restricted e.g. to the APAC region and…

Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store