Azure AD B2C Identity Experience Framework Custom Policy examples for various scenarios.

The sample policies in this repo are developed and managed by the open-source community in GitHub. This policy is not part of Azure AD B2C product and it's not supported under any Microsoft standard support program or service. The policy is provided AS IS without warranty of any kind.

To use these examples in your own AAD B2C tenant, you will need to make the following changes:

1. Follow the guidance to setup the required keys here.

2. Register the required Application Registrations here.

3. Update the login-NonInteractive technical profile in the TrustframeworkExtensions file as noted here.

4. Register an Application Registration to manage any Extension Attributes (schema extensions) within AAD B2C as noted here.

5. Update the AAD-Common technical profile in the TrustFrameworkBase file as noted here.

6. Update the TenantId parameter in all files to match your B2C Tenant, in the format something.onmicrosoft.com.

7. Create an AAD B2C Application Registration. Choose to include a Web API and add https://jwt.ms as a reply url.

8. Upload and Test your policies via the AAD B2C Blade at portal.azure.com as noted here.

• Account Link - A policy which will associate a user who logged in via a federated provider to a pre-created Local Account.

• MFA IP Timeout - A policy which forces the user to do MFA on 3 conditions:

  1. The user has newly signed up.
  2. The user has not done MFA in the last X seconds.
  3. The user is logging in from a different IP than they last logged in from.

• SAML Relying Party - An example set of policies to integrate with a SAML RP.

• Username based journey - For scenarios where you would like users to sign up and sign in with Usernames rather than Emails.

• Email Verification at Sign In - For scenarios where you would like users to validate their email via TOTP on every sign in.

• Return the access token from a Social IdP - For scenarios where you would like users to return the access token from a Social IdP.

• Preventing logon for Social or External IdP Accounts when Disabled in AAD B2C - For scenarios where you would like to prevent logons via Social or External IdPs when the account has been disabled in Azure AD B2C.

Find guidance here to help troubleshoot your policies.

Use the VSCode Extension to help develop your policies here.