AAD B2C Custom Policies: How to read HTTP headers in the request to B2C?

Jason Lee 106 Reputation points

In a B2C custom policy, is there a way to read HTTP headers in the authorize request sent to B2C? I was hoping there is a claim resolver similar to how OAUTH-KV but I do not see any in the claim resolver documentation.

We need to do this to support forensic security investigations. We have a Front Door instance forwarding requests to our B2C instance as per Microsoft recommendations. This Front Door instance sends access logs to Azure Sentinel via Log Analytics. We have a requirement that any application authorizing with B2C be able to correlate an app's log entries to the FD access logs in Sentinel. Since B2C is behind Front Door, we want to include the the X-Azure-Ref header value (Front Door adds it to all requests) in the claims of tokens that B2C issues. Consuming applications can include the X-Azure-Ref in their logs to directly correlate them to Front Door auditing logs.

Thanks in advance!

Note: I'm posting this question in this forum since I haven't had a response yet in https://stackoverflow.com/questions/70886830/aad-b2c-custom-policies-how-to-read-http-headers-in-the-request-to-b2c

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,553 questions
Azure Active Directory External Identities
No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,406 Reputation points

    Hi @Jason Lee • Thank you for reaching out.

    Unfortunately, B2C does not have the capability to resolve and use the HTTP headers from authorize request. As a workaround, you can check if it can be passed as a query string, and then you can use OAuth2 key-value parameters to resolve it via B2C custom policy.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful