Azure AD B2C - Part 2 - B2C Policies

Azure AD B2C provides the ability to set up policies to control how users can logon, sign up, edit profile information and reset passwords. These polices can be used on a per application basis. The policy assignment is performed by defining the policy name within the application itself.

The policies we will discuss are the:

1. "Sign-up policy" - the policy to allow users to self-provision\sign up for the service.
2. "Sign-in policy" - the policy that defines the authentication types, strength of authentication and application claims to send.
3. "Profile editing policy" - the policy to define what users can edit within their Azure AD B2C User Profile.
4. "Password reset policy" - the policy to define password reset options for users.

As you can see from the above we can actually have a combined "sign-up or sign-in" policy which is handy as we have 2 applications so we can just create one for each application. Let's create the policy for the Contoso Job Portal and then I'll show you what is different for the Contoso Pay Portal. Click "sign-up or sign-in policies" and click "Add".

Identity Providers - select the Identity options you wish to use with this policy\application. For the Contoso Job and Pay Portal we will select "Email signup" and "Facebook".

Sign-up attributes - select the information you wish to collect from the user during sign up (include the ability to select any additional attributes you have added from Part 1).  For the Contoso Job and Pay Portal we have selected 5 attributes.

Application claims - select claims you wish to pass back to the application after successful authentication. For the Contoso Job and Pay Portal we have selected "Display Name" (which is required by the application) and "Identity Provider" (which if not selected now will be automatically added once the policy is created as we have added Facebook as an identity provider).

Multifactor authentication (MFA) - do you need to enforce Multifactor authentication for these users? For the Contoso Job Portal policy we have left "Multifactor authentication" as disabled but for the Contoso Pay Portal we will enable it to meet the requirements set out in Part 1 of this series.

Page UI customization - this provides the ability to customise the UI for your users. We will leave as default but feel free to customise.

So that's the policy for the Contoso Job Portal taken care of.

The Contoso Pay Portal will be exactly the same apart from the fact that we will enforce MFA.

So now we have defined the "sign-up or sign-in" policy for both applications.

Select each policy, click "Run now" to test and show the Azure AD B2C page your users will see.

As you can see Facebook and email address are presented as sign-in options and there is also the "Sign up now" link defined.

Now you have to define the Profile Editing and Password Reset Policy. I won't step though these in detail as the run through above should mean they will make sense to you. Key things to consider are:

1. what attributes you will allow users to edit in their profile?
2. what identity providers you will allow "password reset" to occur with?
3. whether you will enforce MFA for a password reset?

So that's the set up completed! In the next post we will test the user experience with the different applications. Next post located here