This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 1%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
I'm working on a custom policy for account linking in AAD B2C. I started with the example found here,
https://github.com/azure-ad-b2c/samples/tree/master/policies/account-linkage-unified
Since my sign in/sign up allows ALL Microsoft tenants to sign up, users have different "Identity Issuer" based on what tenant they used. This causes some issues when it comes to account linking.
In the custom policy example the attribute "Identity Issuer" is checked towards a list of valid IdPs. This is not really viable in my case. Is there a way to check if the "Identity Issuer" starts with "https://login.microsoftonline.com/" to match all account with a federated Microsoft Work Account?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Andreas Lindholm, We noticed your feedback that the answer on this thread was not helpful.
Thank you for taking time to share your feedback. Kindly let us know what we could have done better to improve the answer and make your experience better.
Since @Akshay-MSFT was able to clarify the response in the latest post and update the solution, I request that you would kindly re-take the survey for your experience on this thread.
However, if your issue remains unresolved, please let us know how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback. Looking forward to your reply. Much appreciate your feedback!
Thank your for your time and patience on this. I was able to review this and investigated through the possibility of using i.e., using https://login.microsoftonline.com**/common/v2.0 instead of https://login.microsoftonline.com/<tenantID>/**v2.0 as an alternative.
But found that as common is not going towards any endpoint for response, the auth request would not work. So for any Microsoft Azure AD tenant to be used as issuer tenant ID must be defined https://login.microsoftonline.com**/<tenantID>/**v2.0 however if its a live, hotmail, etc account then "live.com" could be be used.
In addition to my comment with alternative solution above, I would like to thank you for the feedback provided on survey. We found that your recent engagement on this question was rated low.
However, as we are able to share the verified reason in the post, would you be so kind as to re-evaluate your feedback, rate the overall experience by taking the survey again and provide your experience on this thread please?
Thanks,
Akshay Kaushik
OK, so I guess that the answer to my question is, "It doesn't work". Now that you understand my issue. Do I have any other options in order to achieve the same result?
OK, so I guess that the answer to my question is, "It doesn't work". Now that you understand my issue. Do I have any other options in order to achieve the same result?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Andreas Lindholm ,
Thanks for reaching out.
I understand you are trying to add Microsoft Identity Provider in your Azure AD B2C to sign in users from any Micrsoft account which you can do by setting https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-custom-policy .
If you are looking to allow sign in users from multiple tenants in Azure AD, then you can use ValidTokenIssuerPrefixes key in the ClaimsProvider element of your custom policy.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
Hi!
Thanks for the swift answer, but my issue is not in the signup process to allow multiple Azure AD tenants. This is already configured to allow any tenant. My problem lies in the account-linking custom policies.
Using the account linking example (link in initial post), the matching if you can link or unlink your account is done with "facebook.com" or "twitter.com" or any other well known value in the Identity issuer attribute. But in my example I have every single AzureAD tenant in the world, because the Identity issuer is:
https://login.microsoftonline.com/<tenantID>/v2.0
This makes it challenging to use the account linking template. How do I modify this so that I can link/unlink federated Microsoft work or school accounts?
Hello, by default the identityProvider claim for a federated Azure AD account is the iss claim which is unique per Azure AD tenant. In order to be able to use a common isssuer you will need to override the former and set a defaut value for the identityProvider claim. This new constant/static value should be used in the appropiate Azure AD link and unlink technical profiles. Something like this:
<ClaimsProvider>
<Domain>Azure AD</Domain>
<DisplayName>Login using Azure AD</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AzureAD">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureAD" AlwaysUseDefaultValue="true" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<TechnicalProfile Id="AzureAD-Unlink">
<Metadata>
<Item Key="ClaimValueOnWhichToEnable">
AzureAD
azured</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerToUnlink" DefaultValue="AzureAD" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="linkOrUnlink" DefaultValue="unlink" AlwaysUseDefaultValue="true" />
</OutputClaims>
</TechnicalProfile>
<TechnicalProfile Id="AzureAD-Link">
<DisplayName>Link Facebook</DisplayName>
<Metadata>
<Item Key="ClaimTypeOnWhichToEnable">issuers</Item>
<Item Key="ClaimValueOnWhichToEnable">AzureAD</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerToLink" DefaultValue="AzureAD" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="linkOrUnlink" DefaultValue="link" AlwaysUseDefaultValue="true" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateUserIdentityToLink" />
<OutputClaimsTransformation ReferenceId="AppendUserIdentityToLink" />
</OutputClaimsTransformations>
</TechnicalProfile>
Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.
Hello @andreaslindholm-5673, do you need more help with this?
Thanks! I will look into it during this week and return!
Hi!
Thanks for the idea and I get the point you're making. But after I've made the recommended changes for the SignIn technical profile I always end up in a sign up state, even if the federated account already exists. I also noticed that if I switch back to setting the identityProvider claim to the iss claim then I don't need to sign up, but the link/unlink view is incorrect :-/
<TechnicalProfile Id="AADCommon-OpenIdConnect-SignIn">
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name"/>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true"/>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="AzureAD" AlwaysUseDefaultValue="true" />
<!-- <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss"/> -->
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
<!-- <OutputClaimsTransformation ReferenceId="CreateUserIdentity" />
<OutputClaimsTransformation ReferenceId="AppendUserIdentity" /> -->
</OutputClaimsTransformations>
<IncludeTechnicalProfile ReferenceId="AADCommon-OpenIdConnect-Base" />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
Can the signup process be triggered in some other way maybe?