Conditional Access Not Triggering in Azure AD B2C

Question

Conditional Access Not Triggering in Azure AD B2C

Ray Garg 10

Hi ,

I’ve successfully implemented all my main Azure AD B2C flows for user migration— including custom password reset, MFA with authenticator app (via TOTP), user migration with just-in-time logic, and sign-in / sign-up orchestration. Most core flows are working well.

However, I’ve run into issues with Conditional Access (CA) not triggering as expected.

What I’ve Done So Far

I have incorporated Microsoft’s Azure AD B2C Conditional Access GitHub repo exactly as described.
I understood the README thoroughly and copied all the code (technical profiles, claim types, claims transformations, etc) from TrustFrameworkExtensions_ConditionalAccess.xmlinto my TrustFrameworkExtensions.xml (The one for user migration).
I tested this in my flow by launching sign-in from Tor browser to simulate a risky login scenario — expecting to be blocked or prompted for MFA — but the sign-in proceeded normally without blocking the sign in.
NOTE: The way my current logic is set up, i believe MFA will always be prompted to the user on sign in, im a bit uncertain on how to integrate the conditional access signals to make sure it only gets enforced on risk signals. Setting up Conditional Access for user flows directly through the azure portal is seamless. however when it comes to inetgrating this in custom policies, im unaware of the approach to do so, and all guidance would go a long way here. If its possible to explain how the ConditionalAccesssProtocolProvider is working in the custom policy (the azure provided one, this would go a long way). Also, any explanations of how the logic is working like the specfic profiles of the conditional access logic is always appreciated, i do understand it, but i may always be missing something. ive seen a few mcirosoft documentations, where we can actually write code for condeitional access as well. im not sure if this is standard for azure ad b2c, but if it is, i would very much like to know more details about it.
```
  Thanks for all the help!!  
  
  
  Ray
```

Ray Garg 10 Reputation points

2025-06-06T17:00:59.65+00:00

@SrideviM @Moosa Khan
Ray Garg 10 Reputation points

2025-06-09T18:08:33.8233333+00:00

Hi, is there any status update on this. please its urgent this issue gets ceared up for seamless conditional acess integration.
Ray Garg 10 Reputation points

2025-06-10T19:18:41.2033333+00:00

Hi no one has responded to me, can we please starta. discussion. the full answer may not need be there but i do need guidance aroudn this. is there custom code i also create for codnitional access and then reference that code in the custom policies somehow. i need the guidance.
Ray Garg 10 Reputation points

2025-06-12T18:39:26.1066667+00:00

Are there JSON policies that i write for conditional access? is that how i enforce that type of logic with azure ad b2c?

1 answer

Your answer

Ray Garg 10 Reputation points

2025-06-06T17:00:59.65+00:00

@SrideviM @Moosa Khan
Ray Garg 10 Reputation points

2025-06-09T18:08:33.8233333+00:00

Hi, is there any status update on this. please its urgent this issue gets ceared up for seamless conditional acess integration.
Ray Garg 10 Reputation points

2025-06-10T19:18:41.2033333+00:00

Hi no one has responded to me, can we please starta. discussion. the full answer may not need be there but i do need guidance aroudn this. is there custom code i also create for codnitional access and then reference that code in the custom policies somehow. i need the guidance.
Ray Garg 10 Reputation points

2025-06-12T18:39:26.1066667+00:00

Are there JSON policies that i write for conditional access? is that how i enforce that type of logic with azure ad b2c?

Answer 1

Adiba Khan 1,440 Microsoft External Staff

Thanks for reaching out.

Conditional access enforcement in Azure AD and B2C

the core of your question is about how to enforce the conditional access logic defined in the Azure portal through your B2C custom policies.

**1. **Conditional access policy configuration

first it is crucial to understand that conditional policies configured and managed within the Azure portal (specially, the Microsoft entra admin center) Targeting applications, user groups and the conditions under which excess is controlled.

**2. **Conditional Access protocol provider

the key to integrating this with your custom policies is the conditional access protocol provider that you mentioned.

The technical profile acts as the intermediary. If takes the security signals collected during the B2C usage journey (e.g., IP address, sign in location, user state) and securely communicates with the Microsoft and track conditional access services

the CA services evaluates these signals against your configured CA policies.

The result is a set of claims returned to the B2C policy, indicating whether access should be granted, blocked or if an additional control is required.

**3. **Implementing the logic in custom policies

For CA to trigger, you must ensure your custom policy correctly implements the necessary steps:

send signals to the CA service

you need a text file that calls the conditional access protocol provider within your user journey. You mentioned using the code from the TrustFrameworkExtensions_ConditionalAccess.xml File from the Microsoft entra B2C Conditional access GitHub repo. This file typically contains a technical profile like the following:

claims provider:

conditionalAccessProtocolProvider

protocol: conditionalAccess

Evaluate the result

you must then use the claims transformation or a precondition and a subsequent step of your user journey to check the value of the output claim, such as conditionalAccessResult .

If the result is granted or success the user proceeds.

If the result is mfarequired, you redirect the user to an MFA step

if the result is blocked, you can stop the journey and present an error message.

Troubleshooting your issue

since you mentioned you have to the GitHub sample at the sign in proceeded Normally even with a risky scenario, most common points to check:

1. CA policy scope: Ensure the CA policy in the Microsoft entra admin center is configured to apply to:

the B2C application: the application where the user is signing in must be targeted by the CA policy

all users/targeted users: the user you are testing with must be included in the policy scope.

Conditions: the condition you are testing must be set to the appropriate level (e.g, medium or high)

2. the risk detection: confirm that the sign in is actually being marked as risky by identity protection. Check the sign in report in the Microsoft entra admin center For this specific sign in event to verify the sign in risk is not none.

3. Correct technical profile execution: use application insights to trace the execution of your B2C policy. Verify that the conditional access check technical profile is being executed in the user journey and that is successfully returning a non granted result when using Tor.

I recommended revisiting the output claims of your condition axis check technical profile in your B2C policy to ensure you are correctly feeding the result returned by the service and using it to define your next step.

Please let us know if you require any further assistance we’re happy to help. If you found this information useful, kindly mark this as "Accept Answer".

Ray Garg 35 Reputation points

2025-11-18T16:20:21.4+00:00

Hello @Adiba Khan

This thread is from a long time ago but thank you for your response. the conditional access logic has been added to my extensions file, i know it works, because it blocks sign in from my named location policy that i set in entra conditional access. however the tor sign in was not getting blocked so was a little concerned there.

also, i am wondering if i am missing any capabilities of entra conditional access for azure b2c. are named locations the only limited capability that can be used for b2c? i know the entra conditional access engine is limited to b2c, compared to what signals it provides to entra id. are there ip, bot, or any other protection capabilities that entra conditional access provides that can be integrated with b2c. if that is not possible, is it recommended t create custom security microservices hosted on my own backend in the cloud that can autoscale as needed (maybe an azure function) that i can call myself in different parts of the b2c user journey?

on a side note i am preparing for the b2c to entra external id transition, and would love to know more about how entra conditional access integrates with entra external id as well, and if there are more native signals that work with it compared to the limited signals b2c gets with CA.
Adiba Khan 1,440 Reputation points Microsoft External Staff

2025-11-19T10:09:13.4066667+00:00
Thank you for the update and for confirming that the named locations conditional access logic is working.

Conditional access capabilities and integration

**1.      **Tor Sign-in and Risky Sign-in signals

The fact that Tor sign-in was not blocked despite being a high-risk scenario suggests an issue with how the Sign-in risk condition is being evaluated, not necessarily an issue with your policy execution flow.

CA and sign in Risk: To block a sign in based on high risk (like a sign in malicious IP or Tor) the CA policy must target the “User Risk” or “ Sign-in Risk” condition. This signal is generated by Microsoft Entra ID protection which uses machine learning to detect suspicious activity.

Troubleshooting:

Verify identity protection: Ensure that Microsoft entra id protection is enabled in your tenant. Without it, the “sign-in risk” condition will never be met, and CA policies targeting it will not trigger

Check the sign-ins report: look at the sign-in logs in the Microsoft entra admin center for the specific sign in attempt you made with the Tor browser

Check the conditional access tab in the sign-in details to see it your CA policy was applied.

Check the risk (sign-in) column to see what risk level was assigned to that specific sign in event. If the risk marked as none, your CA policy won’t be enforced.

Policy sensitivity: review your CA policy to ensure it’s configured to block or require MFA for the specific risk level assigned by identity protection.

**2.      **Limited signals for Azure AD b2c vs. Microsoft entra Id

You are correct in your observation: the signals available for conditional access when integrated with Azure AD b2c policies are currently more limited compared to native Microsoft entra id.

The b2c integration primarily relies on signals passed through claims like IP address (for named locations) and the risk level claim (from ID protection). It does not natively support the advanced signals related by client app types in te same way native Entra ID does.

**3.      **Creating custom security microservices

Recommendations: While creating a custom security microservices that you call within the B2C user journey is technically possible (using REST API technical profile), it is generally not recommended as the primary security gate.

Why: this approach introduces complexity adds latency, and shifts the burden of security maintenance and scalability away from the Microsoft Entra platform and onto your team. It also bypasses the unified security monitoring and reporting provided by Microsoft Entra ID protection and CA.

Best Practice: Leverage the native CA features available B2C first. If you have unique requirements not covered by CA, use Azure functions for specialized data lookups or integration with external systems after the core authentication and authorization is handled by Microsoft Entra.

Preparing for B2C to Microsoft Entra external Id

Regarding your preparation for B2C to Microsoft Entra External Id transition, this is a very relevant question.

Integration with Entra external ID

The new platform, Microsoft entra external id is designed to unify the external identities capabilities into the core Microsoft entra product, offering more flexibility and richer features.

Native CA integration: a key benefit of external id is the intent to offer a closer, more ntive integration with core Microsoft entra features, which should include a richer set of Confitional access signals over time, moving beyond the current limitations of the legacy Azure AD B2C platform.

I recommend keeping an eye on the official Microsoft Entra External ID documentation for the latest updates on it GA (General Availability) and CA integration features:

https://learn.microsoft.com/en-us/entra/external-id/

Please let us know if you require any further assistance we’re happy to help. If you found this information useful, kindly mark this as "Accept Answer".
Ray Garg 35 Reputation points

2025-11-20T17:37:13.45+00:00

Thanks let me check on some of these pointers soon and give an update.
Adiba Khan 1,440 Reputation points Microsoft External Staff

2025-11-24T05:24:48.3266667+00:00

"Hope you're doing well. We're following up on the ticket. Please let us know before 27 November whether the issue persists or has been resolved, after that we'll close this thread and If the issue has been resolved, kindly mark the response as answered."
Adiba Khan 1,440 Reputation points Microsoft External Staff

2025-11-26T09:25:48.8333333+00:00

Hope you’re doing well. We’re following up on this thread to check if the issue is still occurring or has been resolved. If it has been resolved, kindly mark the answer as accepted. We will proceed with thread closure by 27th Nov.

Looking forward to your response.

Best Regards.
Ray Garg 35 Reputation points

2025-11-26T09:34:15.2966667+00:00

Hello @Adiba Khan

I am still working on this, CA for blocking tor sign in (signing in using tor browser) still seems to not be working. I wonder if this is because I dont have the microsoft entra premium license. i beleive premium p2 tier has been disabled for b2c tenants am i correct? and only p1 is stil available. will i not receive risky sign in entra id identity protection signals if i dont have premium p1 from entra id?

on the entra external id side, i wnated to know is anything like for sure confirmed at the moment like is premium p2 available right now with entra external id?
Adiba Khan 1,440 Reputation points Microsoft External Staff

2025-11-26T10:00:36.34+00:00
Thank you for confirming the conditional access status and raising crucial questions about licensing. This is my confusion is specially with the ongoing product evolution from Azure AD B2C to Microsoft entry external ID

licensing and risky sign in signals in Azure AD B2C

You are correct to focus on the licensing. The ability to receive and act upon risky sign in signals is directly tied to the licensing tier that provides Microsoft Entra Id Protection.

Risk Based CA in Azure AD B2C requires Premium P2 The signals for risky sign ins and user risk are generated by Microsoft entra ID protection. Do use these risk signals as conditions in your conditional access policies within that ajar AD B2C tenant, the tenant must be linked to the equivalent of a premium P2 license

current requirement: for the full risk based conditional access capabilities(including the crucial “Sign-in Risk” condition that should block the tor sign in) you need Azure AD B2C premium P2

Impact of No P2: If you do not have the necessary B2CB2 license the Microsoft entra ID protection features are not fully enabled and the risk signals will likely not be generated or passed to your B2C custom policy which explains why the tor signin proceeded normally

Status of Azure AD B2C p1/p2 tiers Your understanding of the future status of B2C licenses is largely correct, reflecting Microsoft’s shift to the new platform.

License tier Status(for new customer)

Azure AD B2C P1 New purchases discontinued

Azure AD B2C P2 Discontinued

Conclusion for your problem: if you are pending this correctly using only the B2C standard tier or B2CP1 you will not receive the risky sign in signals needed to block the tor sign in attempt, as that requires the B2C P2 tier.

Is premium P2 available right now with external ID?

Yes, the capabilities equivalent to premium P1 and B2 are available in the new Microsoft entra external ID platform but under a different billing model.

External ID pricing model: the new platform uses a monthly active user consumption based pricing model with a core offer that includes the 1st 50,000 MAU free.

Premium add-ons: the advanced features including the capabilities previously found in P1 and P2 are offered as premium add-ons which you pay for on an MAU after the free threshold.

The benefit of the new external ID platform is that it is architecturally much closer to the core Microsoft Andra ID. This is expected to offer a more negative and comprehensive integration for all features including conditional access they are richer set of signals than what was possible with the legacy B2C platforms custom policy integration.

Recommendation: Given that B2C P2 Is being retired soon, focusing your efforts on migrating to the new Microsoft anthrax terminal ID platform is the correct strategic approach to ensure you have full access to current and future identity protection and risk based CA capabilities
Adiba Khan 1,440 Reputation points Microsoft External Staff

2025-12-01T06:59:37.9966667+00:00

Hope you’re doing well. We’re following up on this thread to check if the issue is still occurring or has been resolved. If it has been resolved, kindly mark the answer as accepted. We will proceed with thread closure by 4th December.

Looking forward to your response.

Best Regards.
Adiba Khan 1,440 Reputation points Microsoft External Staff

2025-12-03T06:31:40.78+00:00

Hope you’re doing well. We’re following up on this thread to check if the issue is still occurring or has been resolved. If it has been resolved, kindly mark the answer as accepted. We will proceed with thread closure by 4th December.

Looking forward to your response.

Best Regards.
Adiba Khan 1,440 Reputation points Microsoft External Staff

2025-12-04T06:00:16.4833333+00:00

We haven’t received any further updates or follow-up on this case, so we’ll proceed with closing it at this time. If you require additional assistance or have new information to share, please feel free to raise new thread, we’re happy to support you further needed.

License tier	Status(for new customer)
Azure AD B2C P1	New purchases discontinued
Azure AD B2C P2	Discontinued

Share via

Conditional Access Not Triggering in Azure AD B2C

1 answer

Your answer