Developer notes for Azure Active Directory B2C

Azure Active Directory B2C user flows and custom policies are generally available. Azure AD B2C capabilities are under continual development, so although most features are generally available, some features are at different stages in the software release cycle. This article discusses cumulative improvements in Azure AD B2C and specifies feature availability.

Terms for features in public preview

• We encourage you to use public preview features for evaluation purposes only.

• Service level agreements (SLAs) don't apply to public preview features.

• Support requests for public preview features can be submitted through regular support channels.

Feature availability

Feature	User flow	Custom policy	User flow in China	Custom policy in China	Notes
Sign-up and sign-in with email and password.	GA	GA	GA	GA
Sign-up and sign-in with username and password.	GA	GA	GA	GA
Profile editing flow	GA	GA	GA	GA
Self-Service password reset	GA	GA	GA	GA
Force password reset	GA	GA	NA	GA
Phone sign-up and sign-in	GA	GA	NA	GA
Smart lockout	GA	GA	NA	NA
Conditional Access	GA	GA	NA	Limited availability	Not available for SAML applications.
Identity Protection	GA	GA	NA	NA
CAPTCHA	Preview	Preview	NA	NA	You can enable it during sign-up or sign-in for Local accounts.

OAuth 2.0 application authorization flows

The following table summarizes the OAuth 2.0 and OpenId Connect application authentication flows that can be integrated with Azure AD B2C.

Feature	User flow	Custom policy	Notes
Authorization code	GA	GA	Allows users to sign in to web applications. The web application receives an authorization code. The authorization code is redeemed to acquire a token to call web APIs.
Authorization code with PKCE	GA	GA	Allows users to sign in to mobile and single-page applications. The application receives an authorization code using proof key for code exchange (PKCE). The authorization code is redeemed to acquire a token to call web APIs.
Client credentials flow	Preview	Preview	Allows access web-hosted resources by using the identity of an application. Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
Device authorization grant	NA	NA	Allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer.
Implicit flow	GA	GA	Allows users to sign in to single-page applications. The app gets tokens directly without performing a back-end server credential exchange. Note: The recommended flow for supporting SPAs is OAuth 2.0 Authorization code flow (with PKCE).
On-behalf-of	NA	NA	An application invokes a service or web API, which in turn needs to call another service or web API. For the middle-tier service to make authenticated requests to the downstream service, pass a client credential token in the authorization header. Optionally, you can include a custom header with the Azure AD B2C user's token.
OpenId Connect	GA	GA	OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user.
OpenId Connect hybrid flow	GA	GA	Allows a web application retrieve the ID token on the authorize request along with an authorization code.
Resource owner password credentials (ROPC)	GA	GA	Allows a mobile application to sign in the user by directly handling their password.
Sign-out	GA	GA
Single sign-out	NA	Preview

OAuth 2.0 options

Feature	User flow	Custom policy	Notes
Redirect sign-in to a social provider	GA	GA	Query string parameter domain_hint.
Prepopulate the sign-in name	GA	GA	Query string parameter login_hint.
Insert JSON into user journey via client_assertion	NA	Deprecated
Insert JSON into user journey as id_token_hint	NA	GA
Pass identity provider token to the application	Preview	Preview	For example, from Facebook to app.
Keep me signed in (KMSI)	GA	GA

SAML2 application authentication flows

The following table summarizes the Security Assertion Markup Language (SAML) application authentication flows that can be integrated with Azure AD B2C.

Feature	User flow	Custom policy	Notes
SP initiated	NA	GA	POST and Redirect bindings.
IDP initiated	NA	GA	Where the initiating identity provider is Azure AD B2C.

User experience customization

Feature	User flow	Custom policy	Notes
Multi-language support	GA	GA	Available in China cloud, but only for custom policies.
Custom domains	GA	GA	Available in China cloud, but only for custom policies.
Custom email verification	NA	GA
Customize the user interface with built-in templates	GA	GA
Customize the user interface with custom templates	GA	GA	By using HTML templates.
Page layout version	GA	GA	Available in China cloud, but only for custom policies.
JavaScript	GA	GA	Available in China cloud, but only for custom policies.
Embedded sign-in experience	NA	Preview	By using the inline frame element <iframe>.
Password complexity	GA	GA	Available in China cloud, but only for custom policies.
Disable email verification	GA	GA	Not recommended for production environments. Disabling email verification in the sign-up process may lead to spam.

Identity providers

Feature	User flow	Custom policy	Notes
AD FS	NA	GA
Amazon	GA	GA
Apple	GA	GA	Available in China cloud, but only for custom policies.
Microsoft Entra ID (Single-tenant)	GA	GA
Microsoft Entra ID (multitenant)	NA	GA
Azure AD B2C	GA	GA
eBay	NA	Preview
Facebook	GA	GA
GitHub	Preview	GA
Google	GA	GA
ID.me	GA	GA
LinkedIn	GA	GA
Microsoft Account	GA	GA
QQ	Preview	GA
Salesforce	GA	GA
Salesforce (SAML protocol)	NA	GA
WeChat	Preview	GA	Available in China cloud, but only for custom policies.
Weibo	Preview	GA
X	GA	GA

Generic identity providers

Feature	User flow	Custom policy	Notes
OAuth2	NA	GA	For example, Google, GitHub, and Facebook.
OAuth1	NA	GA	For example, X.
OpenID Connect	GA	GA	For example, Microsoft Entra ID.
SAML2	NA	GA	For example, Salesforce and AD-FS.
WSFED	NA	NA

API connectors

Feature	User flow	Custom policy	Notes
After federating with an identity provider during sign-up	GA	GA
Before creating the user	GA	GA
Before including application claims in token	Preview	GA
Secure with basic authentication	GA	GA
Secure with client certificate authentication	GA	GA
Secure with OAuth2 bearer authentication	NA	GA
Secure API key authentication	NA	GA

Custom policy features

Session management

Feature	Custom policy	Notes
Default SSO session provider	GA	Available in China cloud, but only for custom policies.
External login session provider	GA	Available in China cloud, but only for custom policies.
SAML SSO session provider	GA	Available in China cloud, but only for custom policies.
OAuth SSO Session Provider	GA	Available in China cloud, but only for custom policies.

Components

Feature	Custom policy	Notes
MFA using time-based one-time password (TOTP) with authenticator apps	GA	Users can use any authenticator app that supports TOTP verification, such as the Microsoft Authenticator app.
Phone factor authentication	GA	Available in China cloud, but only for custom policies.
Microsoft Entra multifactor authentication authentication	GA
One-time password	GA
Microsoft Entra ID as local directory	GA
Predicate validations	GA	For example, password complexity.
Display controls	GA
Sub journeys	GA

Developer interface

Feature	Custom policy	Notes
Azure portal	GA
Application Insights user journey logs	Preview	Used for troubleshooting during development.
Application Insights event logs	Preview	Used to monitor user flows and custom policies in production.

Other features

Feature	Status	Notes
Go-Local add-on	GA	Azure AD B2C's Go-Local add-on enables you to create Azure AD B2C tenant within the country/region you choose when you create your Azure AD B2C.

Responsibilities of custom policy feature-set developers

Manual policy configuration grants lower-level access to the underlying platform of Azure AD B2C and results in the creation of a unique, trust framework. The many possible permutations of custom identity providers, trust relationships, integrations with external services, and step-by-step workflows require a methodical approach to design and configuration.

Developers consuming the custom policy feature set should adhere to the following guidelines:

• Become familiar with the configuration language of the custom policies and key/secrets management. For more information, see TrustFrameworkPolicy.
• Take ownership of scenarios and custom integrations. Document your work and inform your live site organization.
• Perform methodical scenario testing.
• Follow software development and staging best practices. A minimum of one development and testing environment is recommended.
• Stay informed about new developments from the identity providers and services you integrate with. For example, keep track of changes in secrets and of scheduled and unscheduled changes to the service.
• Set up active monitoring, and monitor the responsiveness of production environments. For more information about integrating with Application Insights, see Azure Active Directory B2C: Collecting Logs.
• Keep contact email addresses current in the Azure subscription, and stay responsive to the Microsoft live-site team emails.
• Take timely action when advised to do so by the Microsoft live-site team.

Next steps

• Check the Microsoft Graph operations available for Azure AD B2C.
• Learn more about custom policies and the differences with user flows.