Is id_token_hint supported in AzureB2C for authentication

Question

Is id_token_hint supported in AzureB2C for authentication

Matthew Lourie 25

Is the use of an id_token_hint supported in Microsoft Entra ID and if it can be used as a way to integrate an external authenticator.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint

Sanoop M 3,975 Reputation points Microsoft External Staff Moderator

2025-06-04T06:44:12.8033333+00:00
Hello @Matthew Lourie,

Please note that Microsoft Entra ID supports the use of the id_token_hint parameter, particularly in scenarios involving external authentication method (EAM) providers and custom integrations.

Configure a new external authentication provider with Microsoft Entra ID

An application representing the integration is required for EAMs to issue the id_token_hint. The application can be created in two ways:

Created in each tenant that uses the external provider.

Created as one multitenant application. Privileged Role Administrators need to grant consent to enable the integration for their tenant.

Microsoft Entra ID call to the external identity provider

Microsoft Entra ID uses the OIDC implicit flow to communicate with the external identity provider. Using this flow, communication with the provider is done exclusively by using the provider's authorization endpoint. To let the provider know the user for whom Microsoft Entra ID is making the request, Microsoft Entra ID passes a token in through the id_token_hint parameter.

This call is made through a POST request because the list of parameters passed to the provider is large. A large list prevents the use of browsers that limit the length of a GET request.

The Authentication request parameters are listed in the following table.

Default Id_token_hint claims

This section describes the required content of the token passed as id_token_hint in the request made to the provider. The token may contain more claims than in the following table.

To prevent it from being used for anything other than a hint, the token is issued as expired. The token is signed, and can be verified using the published Microsoft Entra ID discovery metadata.

Please refer to the below document which explains about id_token_hint parameter.

Microsoft Entra multifactor authentication external method provider reference (Preview) - Microsoft Entra ID | Microsoft Learn

I hope the above information provided is helpful. Please feel free to reach out to us if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Matthew Lourie 25 Reputation points

2025-06-04T23:00:58.9366667+00:00

Thanks. My question was about a different use case. The id_token_hint would be issued by an external authenticator and act as proof of an authenticated user. It would be consumed by Azure B2C and validated by a custom policy. I provided a link to the usage of the ID token hint technical profile in my previous question.
Sanoop M 3,975 Reputation points Microsoft External Staff Moderator

2025-06-05T13:20:01.7566667+00:00

Hello @Matthew Lourie,

Thank you for your response.

Yes as per the below mentioned document, you can define an ID token hint technical profile in an Azure Active Directory B2C custom policy by following the steps.

Define an ID token hint technical profile in a custom policy - Azure AD B2C | Microsoft Learn

Could you please let me know in which steps you need clarification or if you have any queries in any of the points mentioned in the above document, please specify it so that I can clarify your queries accordingly.
Sanoop M 3,975 Reputation points Microsoft External Staff Moderator

2025-06-09T07:03:34.2366667+00:00

Hello @Matthew Lourie,

I am following up to check whether if you have any further queries regarding my above posted comment.

Please let me know if you have any additional queries.
Matthew Lourie 25 Reputation points

2025-06-09T23:55:22.36+00:00

The "Define an ID token hint technical profile in a custom policy" documentation describes the use case of using id_token_hint for sign-up with an invite email during initial account creation. We have a different use case — using id_token_hint for external authentication of existing accounts in an Azure AD B2C tenant. Is this use case also supported?

Accepted answer

0 additional answers

Your answer

Matthew Lourie 25 Reputation points

2025-06-04T23:00:58.9366667+00:00

Thanks. My question was about a different use case. The id_token_hint would be issued by an external authenticator and act as proof of an authenticated user. It would be consumed by Azure B2C and validated by a custom policy. I provided a link to the usage of the ID token hint technical profile in my previous question.
Sanoop M 3,975 Reputation points Microsoft External Staff Moderator

2025-06-05T13:20:01.7566667+00:00

Hello @Matthew Lourie,

Thank you for your response.

Yes as per the below mentioned document, you can define an ID token hint technical profile in an Azure Active Directory B2C custom policy by following the steps.

Define an ID token hint technical profile in a custom policy - Azure AD B2C | Microsoft Learn

Could you please let me know in which steps you need clarification or if you have any queries in any of the points mentioned in the above document, please specify it so that I can clarify your queries accordingly.
Sanoop M 3,975 Reputation points Microsoft External Staff Moderator

2025-06-09T07:03:34.2366667+00:00

Hello @Matthew Lourie,

I am following up to check whether if you have any further queries regarding my above posted comment.

Please let me know if you have any additional queries.
Matthew Lourie 25 Reputation points

2025-06-09T23:55:22.36+00:00

The "Define an ID token hint technical profile in a custom policy" documentation describes the use case of using id_token_hint for sign-up with an invite email during initial account creation. We have a different use case — using id_token_hint for external authentication of existing accounts in an Azure AD B2C tenant. Is this use case also supported?

Answer 1

SrideviM 5,620 Microsoft External Staff Moderator

Hello Matthew Lourie,

Yes, the use of id_token_hint for external authentication of existing accounts is supported in Azure AD B2C with custom policies.

While the documentation mostly focuses on sign-up via invitation, the same approach works for signing in existing users. The id_token_hint provided by your external authenticator can be validated by B2C. Claims such as email or user ID can then be extracted from the token to identify the user in the directory.

Once the user is found, B2C will proceed with the sign-in process without requiring any further credentials.

This setup allows you to authenticate users seamlessly using tokens from an external system.

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

User's image

If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

SrideviM 5,620 Reputation points Microsoft External Staff Moderator

2025-06-11T06:01:30.3733333+00:00

Hello Matthew Lourie,

I just wanted to know what you have thought about my suggestions, let me know if I can be of help to you. If this answers your query, do click Accept Answer. And, if you have any further query do let us know
Matthew Lourie 25 Reputation points

2025-06-16T17:24:01.0233333+00:00

Accepted!

Share via

Is id_token_hint supported in AzureB2C for authentication

0 additional answers

Your answer