Azure AD B2C Custom Identity Policy

Question

I’m struggling with configuring Azure AD B2C so it supports: Multitenants and external identity providers at the same. I have a SPA application (in Angular, using MSAL.js) with .NET backend (.NET 4.8). I have configured “Identity providers” and followed a tutorial from active-directory-b2c-custom-policy-starterpack sample. My app is registered in Azure. It has Authentication links configured (I tried https://xxx.b2clogin.com/xxx.onmicrosoft.com/oauth2/authresp for both WEB and SPA authentications). It has API permissions to Microsoft Graph.

No success so far. Current error: AADB2C90273: An invalid response was received : 'Error: unsupported_response_type,Error Description: AADSTS70005: 'The application requested an unsupported response type '' when requesting a token.

I suspect that the custom policy XML file is misconfigured. Unfortunately, what I miss is a general overview how the solution supposed to work. That’s why I have the following questions. I’ll appreciate any additional hints on the topic.

Questions:

1. When user authenticates with external identity provider (e.g., Facebook, LinkedIn, external SSO) will an account be created for him in Azure Active Directory B2C?
2. Multitenant administrators have to add permissions to their users in order to use my app? How can they do that?
3. AADSTS70005: 'The application requested an unsupported response type '' when requesting a token. – where can I configure the response type for “this” application?
4. Is there any sample on how to setup Custom Policy that supports Azure AD multi-tenant and External SSO at the same time

Answer 1

Hi @pawel • Thank you for reaching out. Please find my response inline.

1. When user authenticates with external identity provider (e.g., Facebook, LinkedIn, external SSO) will an account be created for him in Azure Active Directory B2C?
   Yes, an account gets created in Azure AD B2C directory with the source attribute set to the external Identity Provider's name, as shown below for the user account signed up using Facebook IDP.
   
2. Multitenant administrators have to add permissions to their users in order to use my app? How can they do that?
   Once you Register an Azure AD app in your corporate Azure AD tenant (not the B2C tenant) and users from other tenants access the b2C app for the first time, they will be required to accept the consent prompt, as shown below.
   
   If the tenant is configured to allow users to consent for apps using the below setting, no action is needed.
   Azure AD > Enterprise Applications > Consent and permissions > User consent settings > Allow user consent for apps
   If "Do not allow user consent" option is selected, users won't be able to consent and the admins of those tenants must provide tenant wide consent using the adminconsent endpoint that you need to construct for the multi-tenant application that you have registered in your corporate Azure AD tenant.
3. AADSTS70005: 'The application requested an unsupported response type '' when requesting a token. – where can I configure the response type for “this” application?
   Make sure that you have selected the below checkboxes under the authentication blade of your application depending on whether you are requesting for Access or ID token or both.
   
4. Is there any sample on how to set up a Custom Policy that supports Azure AD multi-tenant and External SSO at the same time
   The instructions provided in this document would work with all other social IDPs at the same time. There is no such sample available in the B2C GitHub Repository but If required, you can send an email at the email address mentioned in the private comment below your question and I will share the policy files from my b2c tenant.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.