BuildingBlocks node in schema contains ClientDefinitions node which is not described here. Does it mean that this node is not supported/obsolete? Document Reference

If it is not used in the policy anymore. can we remove that Clientdefinition node from the TrustFramwork starterPack policy xml's.
Here is the link for TrustFrameworkBase.xml where client definitions node exists.

Same Issue reported in Documentation page

Following this issue azure-docs/#6299, we noted that TrustFrameworkPolicy_0.3.0.0.xsd is missing some nodes.

For instance, this doc mentions InputValidations and Predicates, which are not currently present on the XSD.

The XSD needs to be updated to reflect all available nodes.

In LocalAccounts/TrustFrameworkExtensions.xml we have:

<TechnicalProfiles>
   <TechnicalProfile Id="login-NonInteractive">
    <Metadata>
      <Item Key="client_id">ProxyIdentityExperienceFrameworkAppId</Item>
      <Item Key="IdTokenAudience">IdentityExperienceFrameworkAppId</Item>
    </Metadata>
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFrameworkAppID" />
      <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFrameworkAppID" />
    </InputClaims>
  </TechnicalProfile>
</TechnicalProfiles>

Can someone explain why two applications are required to make these custom policies work?
How does the IEF use each of them?

Besides, I don't see any secret or application key being passed to IEF in these files. How can IEF connect to AAD using Application Ids only?

There's plenty of information how to read users' data from the directory. However, there's a way to use client_credentials flow to receive a valid AAD token which can be used as a id_token_hint for custom policies. Nonetheless, if I'm trying to read app data using AAD-UserReadUsingObjectId it fails into the error.

We're using Azure AD B2C for a client app. I configured many custom claim properties and several user journeys through the Azure portal.
However, now we need some special functionality that can only be achieved by directly editing the policy xml files because Azure Portal doesn't support these features.

But I don't want to start from scratch with the xml templates as it seems to be very difficult.

Now my question is:
Is it possble to get the current working base policy as xml file? It's not possible to derive my own custom policy from the default base-v1 policy.

is there one template for multitenants?

Trying to create users in B2C. Can't find the VS migration app project. How to add users into B2C then? I need to use custom usernames (Social Security Numbers).

I uploaded phone-number-passwordless custom policy and features are working as expected.
But I wanted to remove email recovery step when a user signup using phone number.

As per the SignUpOrSignInWithPhone.xml or SignUpOrSignInWithPhoneOrEmail.xml, a user need to verify email id as well, even when doing a phone number based sign up.

Any help will be really appreciated.

I've integrated the XSD file into VS Code and it complaining about JourneyInsights.

I'm happy to submit PR to fix... just want to check first that it is weclomed... thanks 🙏

<UserJourneyBehaviors>
    <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="[some-guid]" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
</UserJourneyBehaviors>

This issue is not reproducible on demand. Intermittently you will see errors logged stating "A claim could not be found for lookup claim with id "alternativeSecurityId" defined in technical profile with id "AAD-UserReadUsingAlternativeSecurityId-NoError""

It looks to me there is an unhandled case in the SignUpOrSignIn user journey. The journey assumes that if the authenticationSource is not localAccountAuthentication then the alternativeSecurityId claim will exist. This seems not to be true in practice. Step 2 in the user journey acknowledges that an objectId could already exist and if it does then it skips that step. That step is where the alternativeSecurityId gets created so if it is skipped and authenticationSource is social then you can get the error reported above. Looking further into the logs there is a field called objectIdFromSession which is set to true. So it seems that when the objectId is populated from a session it does not create a alternativeSecurityId from that session, it skips the step 2 that creates alternativeSecurityId, and because authenticationSource is set to social it goes into step 3 and we get the above error.

        <!-- Check if the user has selected to sign in using one of the social providers -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="FacebookExchange" TechnicalProfileReferenceId="Facebook-OAUTH" />
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
          </ClaimsExchanges>
        </OrchestrationStep>

        <!-- For social IDP authentication, attempt to find the user account in the directory. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>authenticationSource</Value>
              <Value>localAccountAuthentication</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
          </ClaimsExchanges>
        </OrchestrationStep>

Hi,
I've noticed that in the base policy below (but I think it's the same for other base policies) there's a default message displayed to the user when a wrong password is entered. I'm wondering whether this might be the best default message in terms of security, especially for a new developer that still doesn't know really well everything is in the policies. Maybe for the default message provided by the starter pack something like "Your username and/or password is/are incorrect" would be more appropriate.
Thanks.

This sample using 1.1.0 version. https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/scenarios/keep%20me%20signed%20in/TrustFrameworkExtensions.xml

Microsoft updated b2c layouts to use 1.2.0 https://docs.microsoft.com/en-us/azure/active-directory-b2c/contentdefinitions#migrating-to-page-layout

Please update it this sample to use latest/greatest versions

The starter pack for local accounts assumes email address will be used. Please add the username approach for local accounts! 😄

SO Post

What are the configuration parameters for OpenIdConnect technical profile for v2.0 endpoints?
I tried v2.0 endpoints from my B2C tenant and it throws userid and password invalid error.

< Item Key="ProviderName">https://sts.windows.net/< /Item>

< Item Key="METADATA">https://.b2clogin.com/{tenant}//v2.0/.well-known/openid-configuration</ Item>

< Item Key="authorization_endpoint">https://.b2clogin.com/{tenant}//oauth2/v2.0/token< /Item>

Also, the sample should be updated to get v2.0 token using b2clogin.com.

Where can I find the XSD for the TrustFrameworkPolicy XML?
I found one in some Azure Samples github repository (https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack), but it obviously does not fully match the description in the Azure Documentation.
Just one example out of many: The XSD does not have an "Enabled" attribute on the "Localization" element, whereas the documentation lists it.

Ref: GitHub Issue

Many of the policy files use the term "ESTS" in comments. However, I can find no definition for this term in the starter pack or in any B2C documentation. One example of such comments:

        <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). 
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2, then an user account must exist in the directory by this time. -->

Hi,
when I try to upload to azure B2C the custom policy B2C_1A_signup_signin i get this error:

Validation failed: 1 validation error(s) found in policy "B2C_1A_SIGNUP_SIGNIN" of tenant "tenantName.onmicrosoft.com".TechnicalProfile "login-NonInteractive" in policy "B2C_1A_signup_signin" of tenant "tenantName.onmicrosoft.com" defines an invalid value "" for the metadata item "client_id."

This is my XML file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
        PolicySchemaVersion="0.3.0.0"
        TenantId="tenantName.onmicrosoft.com"
        PolicyId="B2C_1A_signup_signin"
        PublicPolicyUri="http://tenantName.onmicrosoft.com/B2C_1A_signup_signin">

  <BasePolicy>
    <TenantId>tenantName.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_DisplayControl_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

I have set up VSCode to validate my Custom Policies against the provided TrustFrameworkPolicy_0.3.0.0.xsd file but have found there are numerous validation errors.

• There is a Namespace issue with the XML vs the XSD document: "TargetNamespace.2: Expecting no namespace, but the schema document has a target namespace of 'http://schemas.microsoft.com/online/cpim/schemas/2013/06'.xml(TargetNamespace.2)"
  I have fixed this by adding the xsd file name to the xsi:schemaLocation portion of the TrustFrameworkPolicy element, however I'm not sure if that is the correct fix:
  xsi:schemaLocation="http://schemas.microsoft.com/online/cpim/schemas/2013/06 TrustFrameworkPolicy_0.3.0.0.xsd

• Long is a valid DataType for ClaimsSchema ClaimType, however they are not in the XSD

• Paragraph is a valid UserInputType for ClaimsSchema ClaimType, same problem

• When using the LinkedIn sign in CustomPolicy with the Optional Email claim, the second OutputClaim throws this error 'cvc-complex-type.2.4.d: Invalid content was found starting with element 'OutputClaim'. No child element is expected at this point.xml(cvc-complex-type.2.4.d)'

• Using AlwaysUseDefaultValue="true" in an OutputClaim throws this error: 'cvc-complex-type.3.2.2: Attribute 'AlwaysUseDefaultValue' is not allowed to appear in element 'OutputClaim'.xml(cvc-complex-type.3.2.2)'

Why are the cases different in the 2 lines? Does this work as is?

"Standard messsage and data rates"

Hi,
I copied technical profiles examples from the ms docs site to my policy and it fails into the error:

Unable to cast object of type 'Web.TPEngine.Providers.OneTimePasswordProtocolProvider' to type 'Web.TPEngine.Providers.IProtocolProvider'.

Correlation ID: 94f61d59-81c7-4416-8f11-dddf21b9b557
Timestamp: 2021-01-13 11:05:30Z
AADB2C: An exception has occurred.

UserJourney used:

        <OrchestrationStep
            Order="3"
            Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange
                Id="GenerateOtpFromEmail"
                TechnicalProfileReferenceId="GenerateOtp" />
          </ClaimsExchanges>
        </OrchestrationStep>

However, if I'm using it as a validation profile of another profile - it doesn't generate a code. Otp claim is empty.

This is an example of the UserJourney:

        <TechnicalProfile Id="GenerateOtpProfile">
          <DisplayName>Generate OTP</DisplayName>
          <Protocol
              Name="Proprietary"
              Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="email" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="Otp" />
          </OutputClaims>
          <ValidationTechnicalProfiles>
            <ValidationTechnicalProfile ReferenceId="GenerateOtp" />
          </ValidationTechnicalProfiles>
        </TechnicalProfile>

.....

        <OrchestrationStep
            Order="3"
            Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange
                Id="GenerateOtpFromEmail"
                TechnicalProfileReferenceId="GenerateOtpProfile" />
          </ClaimsExchanges>
        </OrchestrationStep>

CorrelationId for this event is 576334b2-5432-4498-9033-567617514196.

For both cases I used the same example from the docs:

    <ClaimsProvider>
      <DisplayName>One time password technical profiles</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="GenerateOtp">
          <DisplayName>Generate one time password</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.OneTimePasswordProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="Operation">GenerateCode</Item>
            <Item Key="CodeExpirationInSeconds">1200</Item>
            <Item Key="CodeLength">6</Item>
            <Item Key="CharacterSet">0-9</Item>
            <Item Key="ReuseSameCode">true</Item>
            <Item Key="MaxNumAttempts">5</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="identifier" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="otp" PartnerClaimType="otpGenerated" />
          </OutputClaims>
        </TechnicalProfile>
    
        <TechnicalProfile Id="VerifyOtp">
          <DisplayName>Verify one time password</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.OneTimePasswordProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="Operation">VerifyCode</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="email" PartnerClaimType="identifier" />
            <InputClaim ClaimTypeReferenceId="verificationCode" PartnerClaimType="otpToVerify" />
          </InputClaims>
        </TechnicalProfile>
       </TechnicalProfiles>
    </ClaimsProvider>

The code samples have poor quality, Visual Studio warns about "Naming rule violations" for instance.

I believe Official Microsoft samples should follow the C# programming guide.

According to this documentation -> Setting claim representing policy ID, TFP is the preferred approach but that claim is not included in the starter pack.

This issue was raised on Stack Overflow.

Sample ClaimType that works:

<ClaimType Id="trustFrameworkPolicy">
    <DisplayName>Trust Framework Policy</DisplayName>
    <DataType>string</DataType>
    <DefaultPartnerClaimTypes>
        <Protocol Name="OAuth2" PartnerClaimType="tfp" />
        <Protocol Name="OpenIdConnect" PartnerClaimType="tfp" />
    </DefaultPartnerClaimTypes>
</ClaimType>

Related SO post: Should ACR or TFP have the policy name?.

Hi,

For a new user I am trying to show the user consent form but the link below is giving some errors
https://cs4585b26274a94x484fx966.blob.core.windows.net/b2ccontainer/index.htm

Uncaught TypeError: element.attachEvent is not a function
at observe (prototype.forms.js:578)
at HTMLDocument._methodized [as observe] (prototype.forms.js:60)
at scroll.js:1
at scroll.js:1
prototype.forms.js:594 Uncaught TypeError: element.dispatchEvent is not a function
at fire (prototype.forms.js:594)
at HTMLDocument._methodized [as fire] (prototype.forms.js:60)
at HTMLDocument.fireContentLoadedEvent (prototype.forms.js:598)

I am not able to get the continue and cancel button

In my TrustFrameworkExtensions I added the following:

<ContentDefinition Id="api.signuporsignin">
        <LoadUri>https://{Settings:BlobStorageAccount}.blob.core.windows.net/{Settings:BlobContainer}/html/sign_in.html</LoadUri>
        <RecoveryUri>~/common/default_page_error.html</RecoveryUri>
        <DataUri>urn:com:microsoft:aad:b2c:elements:contract:unifiedssp:2.1.0</DataUri>
        <Metadata>
          <Item Key="DisplayName">Signin and Signup</Item>
        </Metadata>
      </ContentDefinition>

However, with version 2.1.0 the sign in name field is not an Email Address field. Based on the TrustFrameworkBase I would expect the behavior to have Email Address as the placeholder and label and to validate the input as a valid email address. The actual behavior is that the placeholder/label says "Sign In Name" and there is no email address validation. The input is also always throwing a format mismatch for whatever text is entered into that field. Perhaps the TrustFrameworkBase is out of date for this new version?

In this policy, there is a list of country code (claim countryCode).

Ukraine and United Arab Emirates have the same ISO country code: UA.
The ISO country code for United Arab Emirates is wrong, it should be AE.

Also it is missing the kosovo cuntry code. A new item should be added:
<Item Text="Kosovo(+383)" Value="XK" />

I'm happy to push a PR if needed.

Content definitions (TrustFrameworkPolicy element "ContentDefinition") with DataUri="urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0" do not set the focus on the first attribute (HTML input element for claim).

Only the content definiton with DataUri="urn:com:microsoft:aad:b2c:elements:unifiedssp:1.0.0" contains a useful focus setting.

Because own JavaScript is filtered out, this should be fixed rapidly. Otherwise we have to inform the users that they must press TAB or use mouse.

Please fix this problem asap. It is one line JavaScript/jQuery

$(document).ready(function() {
    $('form:first *:input[type!=hidden]:first').focus();
});

OR (much easier)

A line similar to the following (marked with "/* FIX HERE */") for all attributes:

Handlebars.registerHelper('buildTextInput', function (id, type, placeholder, value, pattern, patternDesc, title, required, readonly, index, options) {
        var input = '<input id="' + id + '" class="textInput" type="' + type + '" ';
        var ariaLabel = "";
        var passwordErrorMsgsStr = "";
		
	/* FIX HERE */ input += 'autofocus '; // New line inserted

        if (placeholder) {
            input += 'placeholder="' + placeholder + '" ';
        }

P. S.: Twice posted (other entry: Azure-Samples/active-directory-b2c-advanced-policies#30) - please decide which repo is the right one.

The signup page on AD B2C shows the email verification controls followed by user First name Last name and other fields.

I would like to split this into 2 separate screens where the users only see the email verification box and send the verification code. When they comeback they should be able to go to the next screen which asks for more details.

For multiple projects here, we do not like having it all on one screen, basically it doesn't make sense to show controls that are not relevant to what we are trying to do, i.e. just email verification before anything else.

So the question is, is that possible. Has anyone tried it? Can you share any customization samples, pointers?

The sample is used in official MS documentation https://docs.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-user-migration.
It looks unprofessional to see instruction like
“When you run the pre-migration process with the command-line parameter 2 ...”
It will be much better to have meaningful parameters, like
MigrateWithPassword, MigrateWithRandomPassword etc.

This sample now doesn't work since NET was updated

IHttpActionResult has been deprecated, so the prescribed return type isn't possible

 return Content(HttpStatusCode.Conflict, new B2CResponseContent("Request content is empty", HttpStatusCode.Conflict));

As per guidelines I have ported it to ActionResult but now the sign up process says "The claims exchange 'REST-API-SignUp' specified in step '2' returned HTTP error response that could not be parsed"

When doing development, it is often useful to use emails of the form:

my_email+1234@my_domain.com

E-mails of this form are rejected by the regular expression in TrustFrameworkBase.xml

I have configured a custom policy that just perform signin (I have removed any other custom step I will use just to make sure the issue is not with policy).

I have followed all instructions for creating IdentityExperienceFramework and ProxyIdentityExperienceFramework. When I run the user flow, it shows the UI screen, posts the request and does not redirect and does not show any errors. Since I enabled application insights, I could see this exception is being thrown.

I am sure I configured the apps as B2C apps and not AD apps, which seems to be a common cause for this issue but this is not the case.

The odd thing is that I have another directory with the same custom policy and with the exactly same configurations and it is working. The only difference is that this directory was created a month ago.

Any thoughts on this issue?

It should be AE, not UA. When UA, a user does not receive the MFA code.

I would just like to know, can we use two email addresses for Multi-factor authentication in custom policies just like two phone numbers. Is it possible to do that?

Any help would be appreciated in this regard.

Signup implementation in this scenario does not result in the newUser=true claim being included in the issued token, unlike in all (most) other scenarios doing signup. Therefore, applications using the signup/signin journeys do not get notified whether the received token represents a new B2C user or signin by an existing one.

I have followed this documentation and added REST API call back.

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw

The API gets executed and returns response.
Response: {"extension_CompanyGUID":"ABC"}

But validation fails with this error on signup. "
Unable to validate the information provided.
--"
I have created this user attribute(extension_CompanyGUID) from UI and using it here. I have mentioned details of " b2c-extensions-app. Do not modify. Used by AADB2C for storing user data." app in "AAD-Common" profile metadata section.

Technical profile details.

			<!-- Change LocalAccountSignUpWithLogonEmail technical profile to support your validation technical profile -->
			<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">
			  <OutputClaims>
				<OutputClaim ClaimTypeReferenceId="extension_CompanyGUID" PartnerClaimType="extension_CompanyGUID" />
			  </OutputClaims>
			  <ValidationTechnicalProfiles>
				<ValidationTechnicalProfile ReferenceId="REST-API-SignUp" />
			  </ValidationTechnicalProfiles>
			</TechnicalProfile>

Using custom SignUp_SignIn policy for SocialAndLocalAccounts, I am getting below exception each time I try to authenticate with a social account (Facebook)

ErrorMessage: server_error
ErrorDescription:
AADB2C: An exception has occured.
Correlation ID: 9f92fe54-31e6-4ff8-8145-399311128ef8
Timestamp: 2017-08-14 06:24:34Z

The exception only occurs when I use custom policies in the AD B2C Identity Experience Framework. When tried with default Sign-up or sign-in policy with Facebook Identity provider, it works perfectly well.

There is an issue in the SocialAndLocalAccountsWithMfa, sign up work perfectly, but when signing in it will ask for a phone number to send the verification, you can put a different number than the one used during the sign up procedure.

To correct this you need to add the following line:
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
in the technical profile AAD-UserReadUsingAlternativeSecurityId (which is the azure AD claimsprovider) in the base file.

As indicated on https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin login.microsoftonline.com is deprecated on 04 december 2020. The templates should be updated with the new b2clogin.com url

all
I want to disable email validation at sign-up.

Following the tutorials at
https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started?tabs=applications
and
https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-disable-email-verification
my custom B2C_1A_signup_signin policy keeps on showing the "Send verification code" button and requires to validate the code.

Any hint on what could be wrong?

My policy files seem to be correct because:

• Facebook integration works
• when fiddling around with various other settings I either get an error message on the UI or an validation error when uploading the xml.

When i run the usermigration.exe 1 i do not see users appear on the screen as being created, it just says users migrated successfully. When i do usermigration.exe 2 i receive this error after 60 seconds The remote name could not be resolved: 'azueb2cdemob.table.core.windows.net'

i have checked the URL to make sure that it is correct but am unable to use this sample.

Thanks.

Hi guys,

I've been able to piece together quite a bit from just looking over the samples, but I'm struggling to localize messages like this: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/LocalAccounts/TrustFrameworkBase.xml#L487

Im able to localize several fields that appear on the page (like the labels, username, etc), but I'm not sure how to localize the error messages that come back if the user doesnt exist/password is wrong/etc.

Where is the actual documentation on all of this?

Hi,

First, thanks for the custom policy starter pack.

I have followed the steps as given in documentation, but somehow am not able to sign in with correct username and password.

The only change I made is instead of making ProxyIdentityExperienceFramework as Native APP I have made it as Web App/API.

Note: I made ProxyIdentityExperienceFramework as Web App/API.

For my POC, am trying to have the custom policy for TaskWebApp and TaskService.

https://azure.microsoft.com/en-in/resources/samples/active-directory-b2c-dotnet-webapp-and-webapi/

Regards,
Venkatesh

When you load the Policies for SocialAndLocalAccountsWithMfa everything seems to work correct with the exception of "Forgot your Password". The link is Broken. Any ideas??

Hi,

I want to uniquely identify the user's machine other than IP addresses and want to store it into the claims as well. Is there any method to get MAC address of the user's machine using the custom policies flow or is there any other way to uniquely identify the user's machine. The reason behind why I don't want to go with the IP address is that this approach cannot uniquely identify the user's machine if all the machines are on the same network let's say on an organisational network. In that case it will give me the public IP address which I don't want because public IP address will be same for all the machines inside that network.

I have Azure B2C Custom Policies. (They are based on active-directory-b2c-custom-policy-starterpack, but have some differences)
I try to sign up with new user. During registration I get 500 error "There is a problem with the resource you are looking for, and it cannot be displayed.".

POST /slhb2cuat.onmicrosoft.com/B2C_1A_signup_signin/SelfAsserted?tx=StateProperties=eyJUSUQiOiI1MmJmNzJhYi0xYTIwLTQzODgtYTgzOS1kZjBhNTUzYTVlNmEifQ&p=B2C_1A_signup_signin

I have configured Application Insights according to
https://docs.microsoft.com/en-us/azure/active-directory-b2c/troubleshoot-with-application-insights article.

But there is nothing useful(or I didn't noticed something):
AI_logs.txt

Could you point me out in what direction should I look?

Should these URLS be updated given this update?

Hi, I've already tried several solutions, when i login from azure ad, I cannot get the email of the user.

I'm trying to transform the upn to the other emails property as mentioned here: https://stackoverflow.com/questions/55227279/get-email-username-in-claims-azure-ad-b2c-signed-in-with-azuread-like-a-social

Do you have any suggestions?

I tried to config Azure B2C using custom policies and API Management Identities but it was not success.

1. When i used Azure B2C built-in policies, it worked perfectly.

2. When i used Azure B2C custom policies (with xml files), the Azure B2C provider appeared on APIM login page. After login success, i got an error message "Authentication has failed."

Does Azure B2C custom polices support APIM identities?