Define a Conditional Access technical profile in an Azure Active Directory B2C custom policy
Note
In Azure Active Directory B2C, custom policies are designed primarily to address complex scenarios. For most scenarios, we recommend that you use built-in user flows. If you've not done so, learn about custom policy starter pack in Get started with custom policies in Active Directory B2C.
Microsoft Entra Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. Automating risk assessment with policy conditions means risky sign-ins are at once identified and remediated or blocked.
Protocol
The Name attribute of the Protocol element needs to be set to Proprietary. The handler attribute must contain the fully qualified name of the protocol handler assembly that is used by Azure AD B2C:
Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
The following example shows a Conditional Access technical profile:
<TechnicalProfile Id="ConditionalAccessEvaluation">
<DisplayName>Conditional Access Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="OperationType">Evaluation</Item>
</Metadata>
Conditional Access evaluation
For every sign-in, Azure AD B2C evaluates all policies and ensures all requirements are met before granting the user access. "Block access" overrides all other configuration settings. The Evaluation mode of the Conditional Access technical profile evaluates the signals collected by Azure AD B2C during the sign-in with a local account. The outcome of the Conditional Access technical profile is a set of claims that result from Conditional Access evaluation. The Azure AD B2C policy uses these claims in a next orchestration step to take an action, such as block the user or challenge the user with multi-factor authentication. The following options can be configured for this mode.
Metadata
| Attribute | Required | Description |
|---|---|---|
| OperationType | Yes | Must be Evaluation. |
Input claims
The InputClaims element contains a list of claims to send to Conditional Access. You can also map the name of your claim to the name defined in the Conditional Access technical profile.
| ClaimReferenceId | Required | Data Type | Description |
|---|---|---|---|
| UserId | Yes | string | The identifier of the user who signs in. |
| AuthenticationMethodsUsed | Yes | stringCollection | The list of methods the user used to sign in. Possible values: Password, and OneTimePasscode. |
| IsFederated | Yes | boolean | Indicates whether or not a user signed in with a federated account. The value must be false. |
| IsMfaRegistered | Yes | boolean | Indicates whether the user already enrolled a method for multi-factor authentication. If the value is set to false, the Conditional Access policy evaluation returns a block challenge if action is required. |
The InputClaimsTransformations element may contain a collection of InputClaimsTransformation elements that are used to modify the input claims or generate new ones before sending them to the Conditional Access service.
Output claims
The OutputClaims element contains a list of claims generated by the ConditionalAccessProtocolProvider. You can also map the name of your claim to the name defined below.
| ClaimReferenceId | Required | Data Type | Description |
|---|---|---|---|
| Challenges | Yes | stringCollection | List of actions to remediate the identified threat. Possible values: block , mfa, and chg_pwd. |
| MultiConditionalAccessStatus | Yes | stringCollection | The status of conditional access evaluation. |
The OutputClaimsTransformations element may contain a collection of OutputClaimsTransformation elements that are used to modify the output claims or generate new ones.
Example: Evaluation
The following example shows a Conditional Access technical profile that is used to evaluate the sign-in threat.
<TechnicalProfile Id="ConditionalAccessEvaluation">
<DisplayName>Conditional Access Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="OperationType">Evaluation</Item>
</Metadata>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="IsMfaRegisteredCT" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="UserId" />
<InputClaim ClaimTypeReferenceId="AuthenticationMethodsUsed" />
<InputClaim ClaimTypeReferenceId="IsFederated" DefaultValue="false" />
<InputClaim ClaimTypeReferenceId="IsMfaRegistered" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="conditionalAccessClaimCollection" PartnerClaimType="Challenges" />
<OutputClaim ClaimTypeReferenceId="ConditionalAccessStatus" PartnerClaimType="MultiConditionalAccessStatus" />
</OutputClaims>
</TechnicalProfile>
Remediation
The Remediation mode of the Conditional Access technical profile informs Azure AD B2C that the sign-in identified threat is remediated. The following options can be configured for the remediation mode.
Metadata
| Attribute | Required | Description |
|---|---|---|
| OperationType | Yes | Must be Remediation. |
Input claims
The InputClaims element contains a list of claims to send to Conditional Access. You can also map the name of your claim to the name defined in the Conditional Access technical profile.
| ClaimReferenceId | Required | Data Type | Description |
|---|---|---|---|
| ChallengesSatisfied | Yes | stringCollection | The list of satisfied challenges to remediate the identified threat as return from the evaluation mode, challenges claim. |
The InputClaimsTransformations element may contain a collection of InputClaimsTransformation elements that are used to modify the input claims or generate new ones before calling the Conditional Access service.
Output claims
The Conditional Access protocol provider doesn't return any OutputClaims, so there's no need to specify output claims. You can, however, include claims that aren't returned by the Conditional Access protocol provider as long as you set the DefaultValue attribute.
The OutputClaimsTransformations element may contain a collection of OutputClaimsTransformation elements that are used to modify the output claims or generate new ones.
Example: Remediation
The following example shows a Conditional Access technical profile that is used to remediate the sign-in threat.
<TechnicalProfile Id="ConditionalAccessRemediation">
<DisplayName>Conditional Access Remediation</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
<Metadata>
<Item Key="OperationType">Remediation</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="conditionalAccessClaimCollection" PartnerClaimType="ChallengesSatisfied" />
</InputClaims>
</TechnicalProfile>
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for