Azure Active Directory B2C (Azure AD B2C) is a cloud identity management solution for web and mobile apps. The service provides authentication for apps hosted in the cloud and on-premises. Authentication types include individual accounts, social network accounts, and federated enterprise accounts. Additionally, Azure AD B2C can provide multi-factor authentication with minimal configuration.
Tip
Microsoft Entra ID, Microsoft Entra External ID and Azure AD B2C are separate product offerings. An Entra ID tenant generally represents an organization, while an Azure AD B2C tenant or a Microsoft Entra External ID tenant can represent a collection of identities to be used with relying party applications. To learn more, see Azure AD B2C: Frequently asked questions (FAQ).
Create a web app registration in the tenant. For Redirect URI, use https://localhost:5001/signin-oidc. Replace 5001 with the port used by your app when using Visual Studio generated ports.
Modify the app
Add the Microsoft.Identity.Web and Microsoft.Identity.Web.UI packages to the project. If you're using Visual Studio, you can use NuGet Package Manager.
Microsoft.Identity.Web includes the basic set of dependencies for authenticating with the Microsoft identity platform.
Microsoft.Identity.Web.UI includes UI functionality encapsulated in an area named MicrosoftIdentity.
Add an AzureADB2C object to appsettings.json.
Note
When using Azure B2C user flows, you need to set the Instance and the PolicyId of the type of flow.
{
"AzureADB2C": {
"Instance": "https://--your-domain--.b2clogin.com",
"Domain": "[Enter the domain of your B2C tenant, e.g. contoso.onmicrosoft.com]",
"TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
"ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
// Use either a secret or a certificate. ClientCertificates are recommended.
"ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
"ClientCertificates": [
],
// the following is required to handle Continuous Access Evaluation challenges
"ClientCapabilities": [ "cp1" ],
"CallbackPath": "/signin-oidc",
// Add your policy here
"SignUpSignInPolicyId": "B2C_1_signup_signin",
"SignedOutCallbackPath": "/signout-callback-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
For Domain, use the domain of your Azure AD B2C tenant.
For ClientId, use the Application (client) ID from the app registration you created in your tenant.
For Instance, use the domain of your Azure AD B2C tenant.
For SignUpSignInPolicyId, use the user flow policy defined in the Azure B2C tenant
Use either the ClientSecret or the ClientCertificates configuration. ClientCertificates are recommended.
Leave all other values as they are.
In Pages/Shared, create a file named _LoginPartial.cshtml. Include the following code:
Adding <partial name="_LoginPartial" /> renders the _LoginPartial.cshtml partial view in every page request that uses this layout.
In Program.cs, make the following changes:
Add the following using directives:
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
The preceding code resolves references used in the next steps.
Update the builder.Services lines with the following code:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureADB2C"));
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to
// the default policy
options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages(options => {
options.Conventions.AllowAnonymousToPage("/Index");
})
.AddMvcOptions(options => { })
.AddMicrosoftIdentityUI();
In the preceding code:
Calls to the AddAuthentication and AddMicrosoftIdentityWebApp methods configure the app to use Open ID Connect, specifically configured for the Microsoft identity platform.
AddAuthorization initializes ASP.NET Core authorization.
The AddRazorPages call configures the app so anonymous browsers can view the Index page. All other requests require authentication.
AddMvcOptions and AddMicrosoftIdentityUI add the required UI components for redirecting to/from Azure AD B2C.
Update the highlighted line to the Configure method:
The preceding code enables authentication in ASP.NET Core.
Run the app
Note
Use the profile which matches the Azure App registration Redirect URIs
Run the app.
dotnet run --launch-profile https
Browse to the app's secure endpoint, for example, https://localhost:5001/.
The Index page renders with no authentication challenge.
The header includes a Sign in link because you're not authenticated.
Select the Privacy link.
The browser is redirected to your tenant's configured authentication method.
After signing in, the header displays a welcome message and a Sign out link.
Next steps
In this tutorial, you learned how to configure an ASP.NET Core app for authentication with Azure AD B2C.
Now that the ASP.NET Core app is configured to use Azure AD B2C for authentication, the Authorize attribute can be used to secure your app. Continue developing your app by learning to:
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
ASP.NET Core feedback
ASP.NET Core is an open source project. Select a link to provide feedback: