Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall

Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.


This feature is in public preview.

See, What is Azure Web Application Firewall?


To get started, you need:

Custom domains in Azure AD B2C

To use custom domains in Azure AD B2C, use the custom domain features in AFD. See, Enable custom domains for Azure AD B2C.


After you configure the custom domain, see Test your custom domain.

Enable WAF

To enable WAF, configure a WAF policy and associate it with the AFD for protection.

Create a WAF policy

Create a WAF policy with Azure-managed default rule set (DRS). See, Web Application Firewall DRS rule groups and rules.

  1. Sign in to the Azure portal.
  2. Select Create a resource.
  3. Search for Azure WAF.
  4. Select Azure Web Application Firewall (WAF).
  5. Select Create.
  6. Go to the Create a WAF policy page.
  7. Select the Basics tab.
  8. For Policy for, select Global WAF (Front Door).
  9. For Front Door SKU, select between Basic, Standard, or Premium SKU.
  10. For Subscription, select your Front Door subscription name.
  11. For Resource group, select your Front Door resource group name.
  12. For Policy name, enter a unique name for your WAF policy.
  13. For Policy state, select Enabled.
  14. For Policy mode, select Detection.
  15. Select Review + create.
  16. Go to the Association tab of the Create a WAF policy page.
  17. Select + Associate a Front Door profile.
  18. For Front Door, select your Front Door name associated with Azure AD B2C custom domain.
  19. For Domains, select the Azure AD B2C custom domains to associate the WAF policy to.
  20. Select Add.
  21. Select Review + create.
  22. Select Create.

Detection and Prevention modes

When you create WAF policy, the policy is in Detection mode. We recommend you don't disable Detection mode. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged in the WAF logs.

Learn more: Azure Web Application Firewall monitoring and logging

The following query shows the requests blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.

Screenshot of blocked requests.

Screenshot of blocked requests details, such as Rule ID, Action, Mode, etc.

Review the WAF logs to determine if policy rules cause false positives. Then, exclude the WAF rules based on the WAF logs.

Learn more: Define exclusion rules based on Web Application Firewall logs

Switching modes

To see WAF operating, select Switch to prevention mode, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs.

Screenshot of options and selections for DefaultRuleSet under Web Application Firewall policies.

To revert to Detection mode, select Switch to detection mode.

Screenshot of DefaultRuleSet with Switch to detection mode.

Next steps